- Manuals
- Brands
- Dell
- Data Manager
- PowerProtect
- Security Configuration Guide
Dell PowerProtect 19.10 Data Manager Security Configuration Guide PDF
en
Summary of Content for Dell PowerProtect 19.10 Data Manager Security Configuration Guide PDF
PowerProtect Data Manager 19.10 Security Configuration Guide
August 2022 Rev. 02
Notes, cautions, and warnings
NOTE: A NOTE indicates important information that helps you make better use of your product.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid
the problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
2016- 2022 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.
Tables........................................................................................................................................... 6
Disclaimer.....................................................................................................................................................................................7 Preface.........................................................................................................................................................................................8
Chapter 1: Introduction................................................................................................................ 12 About this guide................................................................................................................................................................. 12 Introducing the PowerProtect Data Manager software...........................................................................................13 Supported Internet Protocol versions...........................................................................................................................14 Managing authentication and authorization................................................................................................................ 14 Roadmap.............................................................................................................................................................................. 14
Chapter 2: Authentication............................................................................................................16 Component access control.............................................................................................................................................. 16 Log in to PowerProtect Data Manager........................................................................................................................ 16 User and credential management...................................................................................................................................17
Preloaded accounts and default credentials..........................................................................................................17 Common password policy.......................................................................................................................................... 18 Managing local identity provider users................................................................................................................... 18 Configure password complexity and expiration.................................................................................................... 21
Login security settings..................................................................................................................................................... 22 Configure failed UI login behavior............................................................................................................................22 Operating system expired password behavior..................................................................................................... 22 Operating system expired password impacts.......................................................................................................23
Authentication types and setup.....................................................................................................................................24 Identity providers.............................................................................................................................................................. 24
Managing external identity providers..................................................................................................................... 25 Configure an external identity provider................................................................................................................. 25 Edit an external identity provider............................................................................................................................ 26 Delete an external identity provider........................................................................................................................26 Example: configuring an AD identity provider ..................................................................................................... 26 Example: configuring an LDAP identity provider..................................................................................................27 Troubleshooting LDAP configuration issues......................................................................................................... 28
Authentication to external systems.............................................................................................................................. 28 Credential security...................................................................................................................................................... 28 Remote component authentication.........................................................................................................................29 Protection engine and Search Engine node authentication..............................................................................30
Chapter 3: Authorization............................................................................................................. 33 Default authorizations...................................................................................................................................................... 33 External authorization associations.............................................................................................................................. 33
Add identity provider group-to-role mapping....................................................................................................... 33 Modify identity provider group-to-role mapping................................................................................................. 34 Delete identity provider group-to-role mapping.................................................................................................. 35
Role-based access control (RBAC).............................................................................................................................. 35 Roles............................................................................................................................................................................... 35
Contents
Contents 3
System-provided roles and associated privileges................................................................................................35 Role privilege definitions............................................................................................................................................ 38
Chapter 4: Log Settings.............................................................................................................. 42 Authentication Server logging........................................................................................................................................42 Add a log bundle................................................................................................................................................................ 42
Chapter 5: Network and Communication Security Settings......................................................... 43 Port usage...........................................................................................................................................................................43 Communications security settings................................................................................................................................ 48
Virtual networks (VLANs)......................................................................................................................................... 48 Configure SSH session timeout............................................................................................................................... 49 Configure REST API token lifespans...................................................................................................................... 49
PowerProtect Data Manager firewall support........................................................................................................... 50 Modify firewall rules....................................................................................................................................................50
Chapter 6: Data Security Settings............................................................................................... 51 Data storage security settings........................................................................................................................................51
Protection engine settings.........................................................................................................................................51 Encrypting sensitive data.................................................................................................................................................51 Backup and restore encryption.......................................................................................................................................51
Enable backup and restore encryption...................................................................................................................52 Audit logging and monitoring system activity............................................................................................................ 53
Configuring the audit service................................................................................................................................... 53 Viewing audit events in the UI................................................................................................................................. 53 View and manage alerts.............................................................................................................................................54 Export audit logs ........................................................................................................................................................ 54
Chapter 7: Cryptography.............................................................................................................56 Security certificates......................................................................................................................................................... 56
Protection engines and security certificates........................................................................................................ 57 Application agents and security certificates.........................................................................................................57 Application agent security certificate files............................................................................................................ 57 Exchange the PowerProtect Data Manager security certificate with external components................... 57
Certificate management..................................................................................................................................................58 Virtual networks...........................................................................................................................................................59 Replace security certificates through the UI........................................................................................................59 Replace security certificates with the CLI tool....................................................................................................59 Reinstall the PowerProtect plug-in for the vSphere client ..............................................................................60 Restart the web service............................................................................................................................................. 61 Exchange the new security certificates with vCenter for SPBM.................................................................... 61
Chapter 8: Security Updates and Patching.................................................................................. 63 Security updates and patching...................................................................................................................................... 63 Update the Velero or OADP version used by PowerProtect Data Manager...................................................... 63
Chapter 9: Authenticity and Integrity..........................................................................................65 About product authenticity and integrity.................................................................................................................... 65 Verification..........................................................................................................................................................................65
4 Contents
Verify the signer or signers for Windows binaries...............................................................................................65 Verify the vendor for Linux (RPM-based) packages..........................................................................................66 Verify the vendor for Linux (Debian-based) packages...................................................................................... 66 Verify GPG signatures for Linux (RPM-based) packages.................................................................................66 Verify the signature for JAR files............................................................................................................................ 67 Verify SHA-256 checksums in Windows................................................................................................................67 Verify SHA-256 checksums in Linux...................................................................................................................... 68 Verify SHA-256 checksums in AIX..........................................................................................................................68
Chapter 10: Miscellaneous Configuration and Management Elements.......................................... 69 Licensing..............................................................................................................................................................................69 Installing client software..................................................................................................................................................69 Application and application data backups................................................................................................................... 69
Appendix A: REST API Procedures...............................................................................................70 Manual certificate replacement..................................................................................................................................... 70
Prepare a public certificate and private key from a keystore...........................................................................70 Manually install a custom security certificate through the REST API.............................................................71
Configure password complexity and expiration through the REST API...............................................................72
Contents 5
1 Revision history.......................................................................................................................................................... 8
2 Related documentation.............................................................................................................................................9
3 Style conventions..................................................................................................................................................... 10
4 Key features...............................................................................................................................................................13
5 Benefits....................................................................................................................................................................... 13
6 Linux operating system preloaded accounts......................................................................................................17
7 PowerProtect Data Manager software preloaded accounts......................................................................... 17
8 Identity provider attributes................................................................................................................................... 25
9 Default attribute values..........................................................................................................................................25
10 Role privileges...........................................................................................................................................................36
11 Monitoring privileges...............................................................................................................................................38
12 Security and system audit privileges...................................................................................................................39
13 Support assistance and log management privileges....................................................................................... 39
14 User and security management privileges......................................................................................................... 39
15 System management privileges............................................................................................................................39
16 Asset management privileges............................................................................................................................... 39
17 Storage management privileges...........................................................................................................................40
18 Protection policy privileges................................................................................................................................... 40
19 Recovery and reuse management privileges.....................................................................................................40
20 SLA compliance management privileges.............................................................................................................41
21 Copy management privileges.................................................................................................................................41
22 Resource group privileges...................................................................................................................................... 41
23 PowerProtect Data Manager port requirements............................................................................................. 43
24 Supported workloads...............................................................................................................................................51
25 Rule descriptions...................................................................................................................................................... 73
Tables
6 Tables
Disclaimer THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS-IS." DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages.
The Security Configuration Guide intends to be a reference. The guidance is provided based on a diverse set of installed systems and may not represent the actual risk/guidance to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. All aspects of this Security Configuration Guide are subject to change without notice and on a case-by-case basis. Your use of the information contained in this document or materials linked herein is at your own risk. Dell reserves the right to change or update this document in its sole discretion and without notice at any time.
Reporting vulnerabilities Dell takes reports of potential vulnerabilities in our products very seriously. For the latest on how to report a security issue to Dell, please see the Dell Vulnerability Response Policy on Dell.com.
Disclaimer 7
Preface As part of an effort to improve product lines, periodic revisions of software and hardware are released. Therefore, all versions of the software or hardware currently in use might not support some functions that are described in this document. The product release notes provide the most up-to-date information on product features.
If a product does not function correctly or does not function as described in this document, contact Customer Support.
NOTE: This document was accurate at publication time. To ensure that you are using the latest version of this document,
go to the Customer Support website.
Product naming Data Domain (DD) is now PowerProtect DD. References to Data Domain or Data Domain systems in this documentation, in the user interface, and elsewhere in the product include PowerProtect DD systems and older Data Domain systems. In many cases the user interface has not yet been updated to reflect this change.
Language use This document might contain language that is not consistent with Dell Technologies current guidelines. Dell Technologies plans to update the document over subsequent future releases to revise the language accordingly.
This document might contain language from third-party content that is not under Dell Technologies control and is not consistent with the current guidelines for Dell Technologies own content. When such third-party content is updated by the relevant third parties, this document will be revised accordingly.
Website links The website links used in this document were valid at publication time. If you find a broken link, provide feedback on the document, and a Dell employee will update the document as necessary.
Purpose This guide describes security information related to the installation, configuration, administration and use of Dell EMC PowerProtect Data Manager.
Audience This document is intended for the host system administrator who will be involved in managing, protecting, and reusing data across the enterprise by deploying PowerProtect Data Manager.
Revision history The following table presents the revision history of this document.
Table 1. Revision history
Revision Date Description
02 August 10, 2022 Updated the procedure for configuring password complexity and expiration to include elevated privileges for service restart.
8 Preface
Table 1. Revision history (continued)
Revision Date Description
01 March 22, 2022 Initial release of this document for PowerProtect Data Manager version 19.10.
Compatibility information Software compatibility information for the PowerProtect Data Manager software is provided at the E-Lab Navigator.
Related documentation The following publications are available at Customer Support and provide additional information:
Table 2. Related documentation
Title Content
PowerProtect Data Manager Administration and User Guide Describes how to configure the software.
PowerProtect Data Manager Deployment Guide Describes how to deploy the software.
PowerProtect Data Manager Licensing Guide Describes how to license the software.
PowerProtect Data Manager Release Notes Contains information on new features, known limitations, environment, and system requirements for the software.
PowerProtect Data Manager Security Configuration Guide Contains security information.
PowerProtect Data Manager Amazon Web Services Deployment Guide
Describes how to deploy the software to Amazon Web Services (AWS).
PowerProtect Data Manager Azure Deployment Guide Describes how to deploy the software to Microsoft Azure.
PowerProtect Data Manager Google Cloud Platform Deployment Guide
Describes how to deploy the software to Google Cloud Platform (GCP).
PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide
Describes how to deploy Cloud Disaster Recovery (Cloud DR), protect virtual machines in the AWS or Azure cloud, and run recovery operations.
PowerProtect Data Manager Cyber Recovery User Guide Describes how to install, update, patch, and uninstall the Dell EMC PowerProtect Cyber Recovery software.
PowerProtect Data Manager File System User Guide Describes how to configure and use the software with the File System agent for file-system data protection.
PowerProtect Data Manager Kubernetes User Guide Describes how to configure and use the software to back up and restore namespaces and PVCs in a Kubernetes cluster.
PowerProtect Data Manager Microsoft Exchange Server User Guide
Describes how to configure and use the software to back up and restore the data in a Microsoft Exchange Server environment.
PowerProtect Data Manager Microsoft SQL Server User Guide
Describes how to configure and use the software to back up and restore the data in a Microsoft SQL Server environment.
PowerProtect Data Manager Oracle RMAN User Guide Describes how to configure and use the software to back up and restore the data in an Oracle Server environment.
PowerProtect Data Manager SAP HANA User Guide Describes how to configure and use the software to back up and restore the data in an SAP HANA Server environment.
PowerProtect Data Manager Storage Direct User Guide Describes how to configure and use the software with the Storage Direct agent to protect data on VMAX storage arrays through snapshot backup technology.
Preface 9
Table 2. Related documentation (continued)
Title Content
PowerProtect Data Manager Network Attached Storage User Guide
Describes how to configure and use the software to protect and recover the data on network-attached storage (NAS) shares and appliances.
PowerProtect Data Manager Virtual Machine User Guide Describes how to configure and use the software to back up and restore virtual machines and virtual-machine disks (VMDKs) in a vCenter Server environment.
VMware Cloud Foundation Disaster Recovery With PowerProtect Data Manager
Provides a detailed description of how to perform an end-to- end disaster recovery of a VMware Cloud Foundation (VCF) environment.
PowerProtect Data Manager Disaster Recovery Best Practices Guide
Provides guidance and best practices for a PowerProtect Data Manager server disaster-recovery solution.
PowerProtect Data Manager Public REST API documentation Contains the PowerProtect Data Manager APIs and includes tutorials to guide you in their use.
vRealize Automation Data Protection Extension for Data Protection Systems Installation and Administration Guide
Describes how to install, configure, and use the Dell EMC vRealize Data Protection Extension.
Typographical conventions The following type style conventions are used in this document:
Table 3. Style conventions
Formatting Description
Bold Used for interface elements that a user specifically selects or clicks, for example, names of buttons, fields, tab names, and menu paths. Also used for the name of a dialog box, page, pane, screen area with title, table label, and window.
Italic Used for full titles of publications that are referenced in text.
Monospace Used for: System code System output, such as an error message or script Pathnames, file names, file name extensions, prompts, and syntax Commands and options
Monospace italic Used for variables.
Monospace bold Used for user input.
[ ] Square brackets enclose optional values.
| Vertical line indicates alternate selections. The vertical line means or for the alternate selections.
{ } Braces enclose content that the user must specify, such as x, y, or z.
... Ellipses indicate non-essential information that is omitted from the example.
You can use the following resources to find more information about this product, obtain support, and provide feedback.
Where to find product documentation The Customer Support website The Community Network
10 Preface
Where to get support The Customer Support website provides access to product licensing, documentation, advisories, downloads, and how-to and troubleshooting information. The information can enable you to resolve a product issue before you contact Customer Support.
To access a product-specific page:
1. Go to the Customer Support website. 2. In the search box, type a product name, and then from the list that appears, select the product.
Knowledgebase The Knowledgebase contains applicable solutions that you can search for either by solution number (for example, KB000xxxxxx) or by keyword.
To search the Knowledgebase:
1. Go to the Customer Support website. 2. On the Support tab, click Knowledge Base. 3. In the search box, type either the solution number or keywords. Optionally, you can limit the search to specific products by
typing a product name in the search box, and then selecting the product from the list that appears.
Live chat To participate in a live interactive chat with a support agent:
1. Go to the Customer Support website. 2. On the Support tab, click Contact Support. 3. On the Contact Information page, click the relevant support, and then proceed.
Service requests To obtain in-depth help from a support agent, submit a service request. To submit a service request:
1. Go to the Customer Support website. 2. On the Support tab, click Service Requests.
NOTE: To create a service request, you must have a valid support agreement. For details about either an account or
obtaining a valid support agreement, contact a sales representative. To find the details of a service request, in the
Service Request Number field, type the service request number, and then click the right arrow.
To review an open service request:
1. Go to the Customer Support website. 2. On the Support tab, click Service Requests. 3. On the Service Requests page, under Manage Your Service Requests, click View All Dell Service Requests.
Online communities For peer contacts, conversations, and content on product support and solutions, go to the Community Network. Interactively engage with customers, partners, and certified professionals online.
How to provide feedback Feedback helps to improve the accuracy, organization, and overall quality of publications. You can send feedback to DPAD.Doc.Feedback@emc.com.
Preface 11
Introduction
Topics:
About this guide Introducing the PowerProtect Data Manager software Supported Internet Protocol versions Managing authentication and authorization Roadmap
About this guide This guide provides an overview of security configuration settings available in PowerProtect Data Manager, secure deployment, and physical security controls that are required to ensure the secure operation of the product.
Authentication Authentication describes the settings, configuration options, and means by which users and external systems identify themselves to PowerProtect Data Manager.
Authorization Authorization describes how PowerProtect Data Manager maps an authenticated user or external system to a level of access or permissions. More broadly, authentication describes what users are allowed to do.
Log Settings A log is a chronological record that helps you to examine the sequence of activities surrounding or leading up to an operation, procedure, or event in a security-related transaction from beginning to end. This chapter describes how to access and manage the logs files available in PowerProtect Data Manager.
Network and Communication Security Settings
Communication security settings enable the establishment of secure communication channels between PowerProtect Data Manager components, PowerProtect Data Manager components and external systems, and PowerProtect Data Manager components and external components. This chapter describes the PowerProtect Data Manager uses secure channels for communication and how to configure PowerProtect Data Manager in a firewall environment.
Data Security Settings
Data security settings enable you to define controls that prevent unauthorized access and disclosure of data that is permanently stored by PowerProtect Data Manager. This chapter describes the settings available to ensure the protection of the data that is handled by PowerProtect Data Manager.
Cryptography This chapter describes the cryptographic options and components for PowerProtect Data Manager, including how to manage the security certificates in use.
Security Updates and Patching
Instructions for obtaining and applying updates and patches for the PowerProtect Data Manager software. Where applicable, these instructions include how to apply off-cycle updates for specific components.
Authenticity and Integrity
Information and instructions that enable you to verify PowerProtect Data Manager and its downloads before deployment or installation. Verification typically happens through methods such as digital signatures and checksums.
Miscellaneous Configuration and Management Elements
This chapter contains all other topics that do not fall into one of the earlier categories.
REST API procedures
This appendix describes other ways that you can accomplish some goals for which the preferred instructions use the web user interface (UI) or the command-line interface (CLI).
1
12 Introduction
Introducing the PowerProtect Data Manager software PowerProtect Data Manager software is an enterprise solution that provides software-defined data protection, deduplication, operational agility, self-service, and IT governance.
PowerProtect Data Manager key features include the following:
Table 4. Key features
Software-defined data protection with integrated deduplication, replication, and reuse
Data backup and recovery self-service operations from native applications that are combined with central IT governance
Multicloud optimization with integrated Cloud Tiering
SaaS-based monitoring and reporting
Modern services-based architecture for ease of deployment, scaling, and updating
PowerProtect Data Manager integrates multiple data-protection products within the Dell EMC Data Protection portfolio to enable data protection as a service, providing the following benefits:
Table 5. Benefits
Enables data-protection teams to create data paths with provisioning, automation, and scheduling to embed protection engines into their data-protection infrastructure for high-performance backup and recovery
Enables backup administrators of large-scale environments to schedule backups for the following asset types from a central location on the PowerProtect Data Manager server: VMware virtual machines File systems VMAX storage groups Kubernetes clusters Microsoft Exchange Server and Microsoft SQL Server databases Oracle databases SAP HANA databases Network-attached storage (NAS) shares
Provides an agent-based approach to automatically discover and protect databases on an application server
Enables self-service and centralized protection by: Monitoring service-level objectives (SLOs) Identifying violations of recovery-point objectives (RPOs)
Supports deploying an external VM Direct appliance that moves data with a VM Direct Engine that is optimized for performing high-capacity backup streams
Comes with a basic embedded VM Direct Engine that has the following functions and capabilities: It is automatically used as a fallback proxy for performing backup and restore operations when an external VM Direct
Engine fails, is disabled, or is unavailable It has a limited capacity for performing backup streams It can work with virtual-machine crash-consistent protection policies that use the Transparent Snapshot Data Mover
(TSDM) protection mechanism It enables the Search Service used by PowerProtect Search
Supports PowerProtect Search, which enables backup administrators to quickly search for and restore VM and NAS file copies
Supports the vRealize Automation DP extension, which enables the automatic provisioning of virtual machines and on-demand backups and restores
Integrates with Dell EMC Cloud Disaster Recovery (Cloud DR), including workflows for Cloud DR deployment, protection, and recovery operations in the AWS and Azure clouds
Integrates with Dell EMC PowerProtect Cloud Snapshot Manager to view PowerProtect Cloud Snapshot Manager jobs, alerts, and reports from a consolidated PowerProtect Data Manager dashboard
Introduction 13
Table 5. Benefits (continued)
Integrates with Dell EMC PowerProtect Cyber Recovery to protect the integrity of a PowerProtect Data Manager environment from cyber threats
Provides a RESTful API interface that allows PowerProtect Data Manager to be monitored, configured, and orchestrated: Existing automation frameworks can be integrated New scripts can be quickly written Easy-to-follow tutorials are provided
Supported Internet Protocol versions PowerProtect Data Manager only supports the use of IPv4 addresses.
Using an IPv6 address can result in errors or other unexpected behavior. When configuring devices to connect over the network with PowerProtect Data Manager, use only IPv4 addresses.
Managing authentication and authorization PowerProtect Data Manager provides a security model which controls authentication and authorization through several smaller building blocks.
Users and groups are defined by the local identity provider or by an external identity provider and group mapping. These sources are the means by which users identify themselves to PowerProtect Data Manager. Authentication on page 16 provides more information about identity providers and about managing users and groups.
After authentication, each user or group has at least one assigned role. A role delegates authorization from the system administrator to users by associating a set of privileges which define the tasks that the user can perform. You assign a role to a user or a group as part of creating or modifying the user or group. Role-based access control (RBAC) on page 35 provides information about roles and role assignments.
Roadmap For new deployments, the following steps describe a recommended course of security-related events. Some steps such as external identity providers may not apply to all environments.
Steps
1. Review the port requirements and configure environment connectivity, as required.
Port usage on page 43 provides more information.
2. Set up an email server.
The PowerProtect Data Manager Administration and User Guide provides instructions. The email server is partly used for email related to password expiration and resetting passwords.
3. Update the contact information for the admin user to include a working email address for password-related notification.
User and credential management on page 17 provides instructions.
4. Change the self-signed security certificates.
Security certificates on page 56 and Certificate management on page 58 provide instructions.
5. Configure an external identity provider.
Authentication types and setup on page 24 and Managing external identity providers on page 25 provide instructions.
6. Review the PowerProtect Data Manager roles.
Role-based access control (RBAC) on page 35 provides more information.
7. Add local users and change the local user passwords. Assign local users to a PowerProtect Data Manager role.
User and credential management on page 17 provides instructions.
8. Map external identity provider users to a PowerProtect Data Manager role.
External authorization associations on page 33 provides instructions.
14 Introduction
Next steps
Complete any other security tasks that apply to your environment.
Introduction 15
Authentication Authentication describes the settings, configuration options, and means by which users and external systems identify themselves to PowerProtect Data Manager.
Topics:
Component access control Log in to PowerProtect Data Manager User and credential management Login security settings Authentication types and setup Identity providers Authentication to external systems
Component access control Component access control settings define how to control external and internal systems or component access to the product.
PowerProtect Data Manager uses validated tokens to provide secure operations and data transfer between components.
Only authenticated users can use the UI to perform operations. When a user logs in to the UI, the user verification process, or requestor contacts the Authentication Service to verify the credentials of the user account. When the Authentication Service successfully verifies the user, the application issues a token to the requestor. All the PowerProtect Data Manager components that require authentication can use the token to verify the user. After the Authentication Service authenticates the user by using the token, the Authentication Service determines the level of authorization that the user has to perform the requested operation.
Log in to PowerProtect Data Manager When you log in to the PowerProtect Data Manager UI, provide an active username and password.
Usernames follow the format user[@domain], where domain is an optional identifier that associates the user with a particular identity provider.
For example: jsmith or administrator@test-lab.
If you do not supply a domain, the authentication service checks the default identity provider. If you supply a domain, the authentication service consults the external identity provider for that domain and determines
whether to allow the login.
When the identity provider validates the credentials, the authentication service issues a user token. The PowerProtect Data Manager UI uses the token information to authorize activities.
Unless you have changed the system configuration, the default identity provider is the local identity provider.
NOTE: If the user interface is left unattended for more than 30 minutes and times out, the login page might display with
the error 503: Unknown Error. If this occurs, dismiss the error and log in again with your username and password.
2
16 Authentication
User and credential management These topics describe how to work with local accounts. This includes a list of accounts which exist from deployment, as well as how to manage user accounts, change passwords, and secure credentials.
Preloaded accounts and default credentials
This topic describes the local identity provider user accounts that come with a default PowerProtect Data Manager installation and any applicable default credentials.
Most default credentials exist only for the period between deployment and initial configuration. Use the Change required column to identify credentials that you must replace during the configuration process.
The Purposes column identifies the expected uses for each entry. The Actions column identifies points where customer interaction is required.
Linux operating system
This table describes accounts for accessing the Linux operating system on which PowerProtect Data Manager runs.
Table 6. Linux operating system preloaded accounts
Account or credential
Default password Expiry interval Change required Purposes Actions
root changeme 60 days Yes Provides root privilege elevation for commands.
N/A
support $upp0rt! 60 days Yes Controls SSH access to system console.
N/A
admin @ppAdm1n 60 days Yes Controls SSH access to system console.
N/A
Even if you disable Use common password to set different component passwords during deployment, the configuration process sets the same password for each of the operating system accounts.
PowerProtect Data Manager software
This table describes credentials for working with the PowerProtect Data Manager software.
Table 7. PowerProtect Data Manager software preloaded accounts
Account or credential
Default password Expiry interval Change required Purposes Actions
UI admin admin 60 days Yes Controls access to the web UI. Controls access to REST API requests.
N/A
PowerProtect Data Manager automatically configures a strong, unique passphrase during deployment. Credential security on page 28 provides more information about the lockbox.
Authentication 17
Admin account password expiry
You must have a valid admin account password to log in to PowerProtect Data Manager and perform regular administrative tasks. Preventing it from expiring is an essential part of system maintenance.
Configure notification of critical alerts to receive an alert 15 days, 7 days, 3 days, and 1 day before the admin password is due to expire. For information about configuring alert notification, see the PowerProtect Data Manager Administration and User Guide.
To change the admin password before it expires, see Change operating system passwords on page 21.
If the admin password has expired and you need to reset it, see Operating system expired password behavior on page 22.
Server DR restores
Restoring PowerProtect Data Manager from a server DR backup resets the passwords for all preloaded accounts to the default passwords.
The UI administrator account password is not reset and retains the last configured value. After you restore from a server DR backup, change the passwords for the preloaded accounts as soon as possible.
Common password policy
When you set a local identity provider account password, ensure that the credential meets the following requirements: Contains a minimum of nine characters and a maximum of one hundred characters Contains at least one numeric character (0-9) Contains at least one uppercase character (A-Z) Contains at least one lowercase character (a-z) Contains at least one special character from the following list of acceptable characters:
!@#$%^&*()_-+=~{}[]<>?/`:;',.|\"
Spaces are allowed. Contains only letters from the English alphabet Does not contain other sensitive information that is associated with the user account, such as the first and last names,
username, or email address
Managing local identity provider users
Only the Administrator and the Security Administrator roles can manage users. The Administrator, Security Administrator, and User roles can view users.
NOTE: User authorization grants or denies users access to PowerProtect Data Manager resources. Authorization is the
same for local identity provider users and external identity provider users.
You cannot rename or change the role assignment for the preloaded administrator account.
Add a local user
Only the Administrator and the Security Administrator roles can add users to the local identity provider.
Prerequisites
This procedure contains the process of role assignment, which delegates the authorization to perform particular tasks. Review the list of system-defined roles and identify all necessary roles.
Steps
1. From the left navigation pane, select Administration > Access Control.
The Access Control window appears.
2. Click the Users/Groups tab.
18 Authentication
PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.
3. Click Add User/Group. The Add User/Group window opens on the User Type tab.
4. Select Local User.
5. Provide the following information:
First Name Last Name Email Address User Name Password Retype to confirm the password. Force Password ChangeEnabled by default. Requires the user to update the password at first login.
6. Click Next. The Add User/Group window moves to the Role tab.
7. Select one or more applicable roles.
To see a list of the permissions for each role, click >. You can further refine the applicability of each role on the next tab.
8. Click Next. The Add User/Group window moves to the Summary tab.
9. Review your selections, correct any errors, and then click Finish.
Results
The new user appears in the list of configured user accounts and groups.
Edit or delete a local user
Only the Administrator and the Security Administrator roles can edit or delete local identity provider users.
Prerequisites
This procedure contains the process of role assignment, which delegates the authorization to perform particular tasks. Review the list of system-defined roles and identify all necessary roles.
Steps
1. From the left navigation pane, select Administration > Access Control.
The Access Control window appears.
2. Click the Users/Groups tab. PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.
3. Click for any user account to see the following information:
Username First name Last name Email address User role Date the user was created
4. Select the user that you want to edit or delete.
5. To delete the user, click Delete. The user disappears from the list of configured user accounts and groups.
6. To edit the user, click Edit. The Edit User/Group window opens on the User Type tab.
7. Change any of the following information:
First Name Last Name
Authentication 19
Email Address User Name Password Retype to confirm the password. Force Password ChangeEnabled by default. Requires the user to update the password at first login.
8. Click Next. The Edit User/Group window moves to the Role tab.
9. Select one or more applicable roles.
To see a list of the permissions for each role, click >. You can further refine the applicability of each role on the next tab.
10. Click Next. The Edit User/Group window moves to the Summary tab.
11. Review your selections, correct any errors, and then click Finish.
Results
The changes appear in the list of configured user accounts and groups.
Change a local user password
Use the self-service feature to change the password for a local identity provider user.
Prerequisites
If you do not know the current password, Reset a forgotten local user password on page 20 provides more information. External identity provider users cannot reset their password using this procedure. Contact the identity provider administrator to reset your password.
Steps
1. Log in to the PowerProtect Data Manager UI.
2. From the banner, select User Options > Change Password.
3. Type the current password for the local user.
4. Type the new password twice for confirmation.
The new password must conform to the Common password policy on page 18.
5. Click Save.
Reset a forgotten local user password
Use the self-service feature to reset a forgotten password for a local user.
Prerequisites
The account must be a local identity provider user. A mail server must be configured on PowerProtect Data Manager. External identity provider users cannot reset their password using this procedure. Contact the identity provider administrator
to reset your password.
Review Common password policy on page 18 before you select a new password.
About this task
Local users can receive an email with a link to reset their password. The reset password link in the email expires in 20 minutes, after which time they must request another link.
Steps
1. In the PowerProtect Data Manager login page, click Forgot Password.
2. In the Forgot Password dialog box, type your user name, click Send Link, and click OK to dismiss the informational dialog box.
20 Authentication
The system sends a message to the email address associated with your user name.
3. Open the email and click the link.
4. In the Reset Password dialog box, type a new password in the New Password and Confirm New Password fields, and click Save. The PowerProtect Data Manager login page appears.
5. Log in with your user name and new password.
Change operating system passwords
Only the Administrator role can change operating system passwords. You can change the password for the Linux operating system root, admin, and support users by using the PowerProtect Data Manager UI.
About this task
For the root user, this method works if the current password has not expired and you know the current password. If the root password has expired, the attempt fails.
Review Common password policy on page 18 before you select a new password.
Steps
1. Log in to the PowerProtect Data Manager user interface as a user with the Administrator role.
2. Click , and then select Authentication. The System Users window displays.
3. Select the password you want to change: For the root and support users, click Edit. For the operating system admin user, click Reset. You can change the operating system admin user password without
providing the existing password.
4. Update the form, and then click Save.
Configure password complexity and expiration
This topic describes how to configure the PowerProtect Data Manager password requirements through the console. If you change the regular expressions, change both regular expressions to keep the rules consistent.
About this task
Common password policy on page 18 describes the default password complexity rules. Appendix REST API Procedures on page 70 describes an alternative method to configure the password requirements.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Using a Linux text editor, open /usr/local/brs/lib/aaa/config/application-policies- custom.properties.
3. Modify the following properties:
Property Description
aaa.server.policies.password.passwordRegex Controls the password length and strength for the REST API.
aaa.server.policies.password.passwordRegexJS Controls the password length and strength for the UI.
aaa.server.policies.password.maxAge Controls the password expiry interval. The default is 60 days.
4. Save and close the file.
5. Apply the new configuration:
aaa restart
Authentication 21
Login security settings These topics describe configuration options that guard access to PowerProtect Data Manager and control how users log in.
Configure failed UI login behavior
This topic describes how the PowerProtect Data Manager UI behaves for failed login attempts. These steps also change the behavior of the lockout mechanism that regulates failed login attempts through the UI.
About this task
By default, PowerProtect Data Manager UI user accounts are locked out after five failed login attempts. After reaching this threshold, the default lockout period is five minutes before you can try logging in again.
Steps
1. Connect to the PowerProtect Data Manager console as an admin user.
2. Using a Linux text editor, open /usr/local/brs/lib/aaa/config/application-server-custom.properties.
3. Modify the following properties:
Property Description
aaaServer.userMaxUnsuccessfulAttempts The number of failed login attempts after which PowerProtect Data Manager locks out the user account.
aaaServer.userLockoutTimeInMinutes The number of minutes for which PowerProtect Data Manager locks out the user account after exceeding the failure limit.
4. Save and close the file.
5. Apply the new configuration:
aaa restart
Operating system expired password behavior
For the Linux operating system admin, root, and support user passwords, different expiry scenarios can arise. Each scenario has two courses of action, depending on whether you know the expired password for that account.
You must know at least one password to reset an expired password. Otherwise, contact Customer Support.
The admin password expires
You can reset the admin password by logging in to the PowerProtect Data Manager UI with an account that has the Administrator role. Change operating system passwords on page 21 provides instructions. You do not need to know the expired password.
If you cannot log in to the UI with the Administrator role:
Establish an SSH session to PowerProtect Data Manager as the admin user. The console prompts you to type the expired password and then set a new password.
If you do not know the expired password but you know the root password, you can reset the admin password by using the vSphere console. Use the vSphere console to log in to PowerProtect Data Manager as the root user. Then, reset the admin password by typing passwd admin. A restart is not required.
If you do not know the root password or the expired password, contact Customer Support.
The root password expires
If you know the expired password, you can reset the root password through the PowerProtect Data Manager console. An expired root password cannot be reset through the UI.
22 Authentication
Establish an SSH session to PowerProtect Data Manager as the admin user, and then change to the root user by typing su -. The console prompts you to type the expired root password and then set a new password.
If you do not know the expired password but you know the admin password, you can reset the root password by using the console. Establish an SSH session to PowerProtect Data Manager as the admin user. Then, reset the root password by typing sudo passwd root. A restart is not required.
If you do not know the admin password or the expired password, contact Customer Support.
The admin and root passwords both expire
If you know the expired passwords, you can reset both passwords through the PowerProtect Data Manager console by combining the methods for each expired password.
Establish an SSH session to PowerProtect Data Manager as the admin user. The console prompts you to type the expired admin password and then set a new admin password. Then, change to the root user by typing su -. The console prompts you to type the expired root password and then set a new root password.
If you do not know the expired passwords, contact Customer Support. The resolution requires restarting PowerProtect Data Manager.
The support password expires
If you know the expired password, you can reset the support password through the PowerProtect Data Manager console or through the UI:
For the console, establish an SSH session to PowerProtect Data Manager as the support user. The console prompts you to type the expired password and then set a new password.
For the UI, Change operating system passwords on page 21 provides instructions.
If you do not know the expired password but you know the admin or root password:
If you know the admin password, you can reset the support password by using the console. Establish an SSH session to PowerProtect Data Manager as the admin user. Then, reset the support password by typing sudo passwd support. A restart is not required.
If you know the root password, you can reset the support password by using the vSphere console. Use the vSphere console to log in to PowerProtect Data Manager as the root user. Then, reset the support password by typing passwd support. A restart is not required.
If you do not know the admin or root passwords or the expired password, contact Customer Support.
The admin, root, and support passwords all expire
If you know some or all of the expired passwords, you can reset all of the passwords through the PowerProtect Data Manager console by combining the methods for each expired password. Follow the directions for The admin and root passwords both expire on page 23 and then The support password expires on page 23.
If you do not know any of the expired passwords, contact Customer Support.
Operating system expired password impacts
For the Linux operating system admin and root user passwords, some aspects of PowerProtect Data Manager may not operate correctly when one or both passwords expire.
Protection engine and Search Engine node operating system passwords do not expire. PowerProtect Data Manager automatically manages these passwords, which are meant for system use only.
All functionality that is not listed in these sections continues to work after passwords expire.
Admin password expires
Software update prechecks fail and block the update process.
Authentication 23
The server DR service script must be run by the root user. Running the script as the root user changes the service script ownership and the ownership of related files to the root user.
Root password expires
The system manager cannot start after PowerProtect Data Manager restarts. System operations that require root privileges fail. For example, changing expirations, opening network ports, and changes to file ownership.
Software update prechecks fail and block the update process. sudo operations for server DR, such as mounting, unmounting, and permissions or ownership changes fail and block related
operations, including: Changing the server DR storage target from NFS to DD Boost, or from DD Boost to NFS. Changing the server DR storage target from one protection storage system to another. Password synchronization with the storage target. Server DR restores.
The compliance verification Docker service and compliance verification services cannot start.
Authentication types and setup These topics describe authentication source and configuration options for PowerProtect Data Manager. For example, how to configure and use external identity providers.
Identity providers An identity provider is an abstract source of user and group data that PowerProtect Data Manager can map to corresponding roles. The abstraction simplifies user and role management.
In addition to the list of supported external identity providers, PowerProtect Data Manager contains locally defined identity providers for application and operating system users.
PowerProtect Data Manager supports multiple active identity providers. Each identity provider has a unique associated domain that identifies all users from that identity provider.
You can map users to PowerProtect Data Manager roles directly or through user groups that come from an identity provider. After you configure an identity provider and map a user or group to a role, you can log in to PowerProtect Data Manager as that user, or as a user from that group.
Some local users have restricted capabilities. For example, operating system users are not mapped to application roles and are limited to SSH access. The local identity provider does not support adding or deleting operating system users, only changing the passwords for existing accounts.
Supported external identity providers
Lightweight Directory Access Protocol (LDAP) LDAP over SSL (LDAPS) Microsoft Active Directory (AD) server Microsoft AD server over SSL (AD over SSL)
Limitations
PowerProtect Data Manager does not support multiple domains or forests on the same identity provider. Instead, configure separate identity providers for each domain or base.
24 Authentication
Managing external identity providers
You can configure an external identity provider that manages usernames and passwords.
Only the Administrator and the Security Administrator roles can manage external identity providers. Manage identity providers and roles through the Administration > Access Control pane.
Configure an external identity provider
Only the Administrator and the Security Administrator roles can configure an external identity provider.
Steps
1. From the left navigation pane, select Administration > Access Control.
The Access Control window appears.
2. Click the Directory Settings tab. PowerProtect Data Manager displays a list of configured identity providers.
3. Click Add. The Add Directory window appears.
4. Configure the following attributes:
Table 8. Identity provider attributes
Attribute Description
Server Type Select a supported identity provider type.
Server Address Type the hostname or IP address of the identity provider. A protocol prefix is not required.
Secure Connection Select this attribute if the identity provider uses a secure connection method such as LDAPS or AD over SSL. Selecting this attribute enables the certificate validation controls.
Port Type the port number for the identity provider.
Domain Type the domain for which this identity provider authenticates users. For example, ldap.example.com.
User Name Type a user account that has full read access to the directory. A domain is not required.
Password Type the password for the specified user account.
Group Search Attribute
Type the attribute name that the identity provider should use to validate the group name in the hierarchy.
Group Member Attribute
Type the attribute name that the identity provider should use to validate the group member in the hierarchy.
Group Search Base If searches should not start from the default base, type the name of a base from which searches should start. For example, if the domain is ldap.example.com, type admin to start searches from admin.ldap.example.com. Otherwise, leave this attribute empty. Only a single search base is supported.
Populate the default values from this table into the appropriate fields when indicated:
Table 9. Default attribute values
Attribute Value or format
AD and AD over SSL LDAP and LDAPS
Port For unsecure connections, the default port number is 389. For secure connections, the default port number is 636.
Group Search Attribute sAMAccountName cn Group Member Attribute member memberUid
Authentication 25
5. If you selected a secure connection method:
a. Click Verify. b. In the Verify Certificate window, verify the details of the identity provider TLS certificate and then click Accept.
NOTE: When you specify the LDAPS protocol, PowerProtect Data Manager automatically downloads the certificates
required to connect to the identity provider. Once downloaded, the Certificate Validation field appears. Click Verify
to compare the displayed certificate information with the expected certificate information. If the certificates match,
click Accept to continue with the setup. Otherwise, click Cancel to cancel the setup.
6. Click Save.
Next steps
Assign identity provider groups to a role. The section Add identity provider group-to-role mapping on page 33 provides instructions. You cannot log in as an external user without mapping users or groups to roles.
Edit an external identity provider
Only the Administrator and the Security Administrator roles can edit an external identity provider.
Steps
1. From the left navigation pane, select Administration > Access Control.
The Access Control window appears.
2. Click the Directory Settings tab. PowerProtect Data Manager displays a list of configured identity providers.
3. To view more information about an identity provider, click in the Details column for that identity provider. PowerProtect Data Manager opens the Details pane, which displays information about the identity provider's configuration.
4. Select the identity provider, and then click Edit.
5. Edit the attributes as required.
6. Click Save.
Delete an external identity provider
Only the Administrator and the Security Administrator roles can delete an external identity provider.
Steps
1. From the left navigation pane, select Administration > Access Control.
The Access Control window appears.
2. Click the Directory Settings tab. PowerProtect Data Manager displays a list of configured identity providers.
3. Select the identity provider that you would like to delete, and then click Delete.
Example: configuring an AD identity provider
In this example, an AD server that is named ad.forest1.org has an AD group called TestGroup_99. TestGroup_99 contains three users: Meghan, Patrick, and Liam. These users require access to the PowerProtect Data Manager UI with the privileges that are assigned to the User role.
View the properties of the AD configuration
To view the properties of the AD configuration, use a third-party tool such as the AD Explorer program.
Based on this AD configuration, specify the following values for PowerProtect Data Manager LDAP configuration options:
Domain: forest1.org
26 Authentication
Server Address: ad.forest1.org
Configure the ad.forest1.org identity provider
The following figure provides an example of the group attributes that are required to configure the ad.forest1.org identity provider.
Figure 1. AD group properties in AD Explorer
Based on the properties of TestGroup_99, specify the following values for the LDAP configuration options:
Group Search Attribute: sAMAccountName
Example: configuring an LDAP identity provider
In this example, an LDAP server that is named alberta.lss.emc.com has a group that is named AlbertaAllGroups. AlbertaAllGroups contains three LDAP users: alberta_user1, alberta_user2, and alberta_user3. These users require access to the PowerProtect Data Manager UI with the privileges that are assigned to the User role.
View the LDAP configuration properties
To view the properties of the LDAP configuration, use a third party tool such as the LDAP Admin program.
Based on this configuration, specify the following values for the LDAP configuration options:
Domain: alberta.emc.com Server Address: alberta.lss.emc.com Group Search Attribute: cn Group Member Attribute: uniqueMember
Authentication 27
Troubleshooting LDAP configuration issues
This section provides information about error messages that might appear when you configure an external identity provider for authentication.
For more information about LDAP configuration errors, refer to
http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes#gsc.tab=0.
User credentials are incorrect
The following message appears when the user credentials that you specified are not correct:
Error Code: 49: Invalid credentials
To resolve this issue, ensure that the values in the User Name and Password fields are correct.
Domain is not correct
One of the following messages appears when the Domain field is not correct:
Error Code: 32: No such object exists. Error Code: -3: LDAP error: Invalid name: [invalidName]. LdapIdentitySource cannot have an empty base. Error Code: 34: An invalid DN syntax. To resolve this issue, ensure that the value in the Domain field is correct.
Format of the Server Address field is not correct
One of the following messages appears when the format of the Server Address field is not correct:
Error Code: 2: Protocol error Error Code: -3: LDAP error: Cannot parse url: [url] To resolve this issue, ensure that you specify the Server Address field without a protocol prefix. Type only the hostname or IP address.
Authentication to external systems The following topics describe how PowerProtect Data Manager communicates and authenticates with other components.
Credential security
The PowerProtect Data Manager lockbox securely stores known secrets in a central location.
All stored secrets in the lockbox are encrypted. When an activity requires information from the lockbox, the requesting process provides the lockbox passphrase and then receives the required information in a decrypted format.
The lockbox holds secrets such as:
Credentials for local user accounts. Protection storage credentials that you supply as you configure the appliance. Credentials by which application agents authenticate to protected assets.
PowerProtect Data Manager creates a strong, unique passphrase during deployment to protect the lockbox contents. After deployment, PowerProtect Data Manager automatically encrypts and manages the lockbox passphrase without user interaction. Automatic management removes the requirement to provide the lockbox passphrase when you update from supported releases. Server DR backups protect the lockbox and its contents.
28 Authentication
The File System agent also uses a separate lockbox on protected hosts to store sensitive information, including the credentials by which the application agent accesses external storage infrastructure.
For Kubernetes, PowerProtect Data Manager stores the necessary certificates and credentials for protection operations in a secret resource on the Kubernetes cluster. The Kubernetes documentation provides more information about how to enable encryption for this secret resource.
Remote component authentication
The PowerProtect Data Manager lockbox securely stores known secrets. These secrets include any user account and protection storage credentials that you supply as you configure the software.
Credential security on page 28 provides more information about the lockbox.
PowerProtect Data Manager can use stored credentials in multiple contexts. The term "consumer" means a place where the appliance uses a credential, for any purpose. For example:
A username and password may apply to one individual host or asset. In this case, the host or asset is the consumer. The same credential could also apply to all assets on the same protection policy, if the assets all authenticate with the same
username and password. In this case, the protection policy is the consumer, even though the credential applies to the assets under that policy.
You can manage stored credentials through the PowerProtect Data Manager UI or the REST API.
Add a credential
Supply PowerProtect Data Manager with the necessary credentials to access external systems, such as storage targets, assets, and asset sources. You can also add credentials when you create a protection policy.
Steps
1. From the left navigation pane, select Administration > Credentials.
The Credentials window appears.
2. Click Add. The Add Credential dialog box opens.
3. Type a name for the credential.
Credential names should clearly identify the intended purpose and usage.
4. Select a credential type from the drop-down list.
The credential type determines the remaining fields. For example, username and password, token, or key.
5. Complete the remaining fields according to the selected type.
6. Click Save.
PowerProtect Data Manager adds the credential to the keystore.
View credential usage
For each stored credential, you can see a list of items that use that credential.
Steps
1. From the left navigation pane, select Administration > Credentials.
The Credentials window appears.
2. Locate the credential in the list of stored credentials.
Use the filters and column sort options to organize the list of credentials.
3. Select the credential from the list. Review the Consumer Count column for that credential. If the count is zero, the credential is not used anywhere.
4. Select the number in the Consumer Count column. The Details pane opens and displays a list of consumers that use the selected credential. The list groups items by type. For example, assets, protection policies, or storage targets.
Authentication 29
Edit a credential
You can change a credential name or stored authentication details, such as a username or password. You cannot change the credential type.
Steps
1. From the left navigation pane, select Administration > Credentials.
The Credentials window appears.
2. Locate the credential in the list of stored credentials.
Use the filters and column sort options to organize the list of credentials.
3. Select the credential from the list, and then click Edit. The Edit Credential dialog box opens.
4. Modify any appropriate values.
The available values depend on the credential type. For example, username and password, token, or key.
5. Click Save.
PowerProtect Data Manager updates the stored credential.
Delete credentials
You can delete any credentials that are no longer in use or which you no longer need. Deleting a credential creates an entry in the audit log.
Prerequisites
The credentials must not be used anywhere. Verify the credential usage and that the consumer count is zero. If necessary, update anything that uses the credentials, such as protection policies or assets.
Steps
1. From the left navigation pane, select Administration > Credentials.
The Credentials window appears.
2. Locate the credential in the list of stored credentials.
Use the filters and column sort options to organize the list of credentials.
3. Select the credential or credentials from the list.
4. Verify that the Consumer Count column displays zero consumers. If the count is zero, the credential is not used anywhere and you can delete the credential. The Delete button activates when all selected credentials have zero consumers.
5. Click Delete.
6. Click OK to confirm the deletion.
PowerProtect Data Manager removes the credential.
Protection engine and Search Engine node authentication
Protection engines and Search Engine nodes are virtual machines that exist apart from, but under the control of, PowerProtect Data Manager.
Because of their function, these components have IP addresses that allow external access. Each component has admin and root user accounts, which are only used to provide PowerProtect Data Manager functionality and for troubleshooting. For example, the Search Engine node admin user accounts enable PowerProtect Data Manager to perform operations on each node, such as obtaining the health status of the node.
The password management policies for these accounts are set to lock the admin user account after three failed attempts within five minutes. If you try to access a component while the admin user account is locked, the amount of time that the account remains locked increases.
There is no public interface available that enables you to access a protection engine or Search Engine node by using these admin credentials. All required interaction with these components happens through the PowerProtect Data Manager UI.
30 Authentication
Get protection engine or Search Engine node credentials
The management tools for protection engines and Search Engine nodes are provided with PowerProtect Data Manager. Use the management tools to get credentials for these components.
About this task
The term protection engines here includes VM Direct engines, NAS protection engines, and Kubernetes protection engines.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Set the environment variables:
source /opt/emc/vmdirect/unit/vmdirect.env 3. Obtain the protection engine credentials:
/opt/emc/vmdirect/bin/vproxymgmt get -secret For environments with many protection engines, you can specify a protection engine ID to narrow the results:
/opt/emc/vmdirect/bin/vproxymgmt get -vproxy_id
Total '2' vProxies VMs available.
VProxy ID: f102c755-d084-4425-a151-a0ade4d1a4c7 Type: Embedded Hostname: localhost Disabled: false Status: Ready Protection Type: VM VM Configured Capacity Units: 16 VM Capacity Units in use: 0 VM Control Sessions in use: 0 VM Transport Sessions in use: 0
VProxy ID: 7bb57817-588f-46cc-b6ac-0dbf357dff92 Type: External Hostname: vmdirect.test.emc.com Disabled: false Status: Ready Protection Type: VM VCenter inventory source ID: 28d387df-452f-5992-820a-720e6c6a60fe VCenter: vcenter.test.emc.com VM Name: vproxy-vmdirect AdminCredentials-Username: 'admin' Password: '%%%%%%%%' RootCredentials-Username: 'root' Password: '%%%%%%%%' VM Configured Capacity Units: 100 VM Capacity Units in use: 0 VM Control Sessions in use: 0 VM Transport Sessions in use: 0 Record the protection engine credentials.
4. Obtain the Search Engine node credentials:
/opt/emc/vmdirect/bin/infranodemgmt get -secret For environments with many Search Engine nodes, you can specify a Search Engine node ID to narrow the results:
/opt/emc/vmdirect/bin/infranodemgmt get -node_id
Total '1' node VMs available.
Node ID: 14c16c75-2c8b-4dff-b93c-d95bdba5a1f6 Node Type: SearchNode Hostname: search.test.emc.com Disabled: false Status: Ready VM Name: search VCenter inventory source ID: 3f94030f-090d-5439-a426-ce9945e8cd89
Authentication 31
VCenter: vcenter.test.emc.com AdminCredentials-Username: 'admin' Password: '%%%%%%%%' RootCredentials-Username: 'root' Password: '%%%%%%%%' Record the Search Engine node credentials.
Reset Search Engine node credentials
You can reset the credentials for a Search Engine node admin user by using the vCenter console. Before you access a Search Engine node through the vCenter console, determine why the user account is locked.
About this task
The PowerProtect Data Manager Administration and User Guide provides information about the Search Engine troubleshooting to which this task relates.
Steps
1. Obtain the Search Engine node root credentials. Get protection engine or Search Engine node credentials on page 31 provides instructions.
2. Log in to the vCenter server where the Search Engine node is deployed.
3. From the left pane of the vSphere Client home page, select the Search Engine node from the VMs and Templates view.
4. Launch a virtual machine vCenter console for the Search Engine node.
5. Log in to the Search Engine node with the root credentials.
6. Reset the admin user account credentials:
/sbin/pam_tally2 --user admin --reset
32 Authentication
Authorization Authorization describes how PowerProtect Data Manager maps an authenticated user or external system to a level of access or permissions. More broadly, authentication describes what users are allowed to do.
Topics:
Default authorizations External authorization associations Role-based access control (RBAC)
Default authorizations Take note of the following user, group, and role considerations when authorizing users or adding users to roles and groups.
Default admin user
The default admin user is preassigned the Administrator role during PowerProtect Data Manager deployment.
The default admin user has super user control over PowerProtect Data Manager and cannot be deleted. However, you can modify the attributes of the default admin user.
Oracle group users
Note that users in the Oracle group have permission to delete the lockbox configuration file. To prevent data loss, add only trusted users to this group.
External authorization associations This section describes how to connect PowerProtect Data Manager authorization to identity provider-based subjects.
Only the Administrator and the Security Administrator roles can add external identity provider groups.
Before associating external identity provider users, configure an external identity provider group. On the external identity provider, add the PowerProtect Data Manager users to this group.
When you map PowerProtect Data Manager roles to an identity provider group, the mapping confers those roles on every user in the group.
Add identity provider group-to-role mapping
Only the Administrator and the Security Administrator roles can add identity provider group-to-role mapping.
Prerequisites
This procedure contains the process of role assignment, which delegates the authorization to perform particular tasks. Review the list of system-defined roles and identify all necessary roles.
Steps
1. From the left navigation pane, select Administration > Access Control.
The Access Control window appears.
3
Authorization 33
2. Click the Users/Groups tab. PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.
3. Click Add User/Group. The Add User/Group window opens on the User Type tab.
4. Select AD/LDAP User Group.
5. Select the domain which corresponds to the identity provider for which you would like to add group-to-role mapping.
6. In Groups, start typing the name of a identity provider group. PowerProtect Data Manager searches the identity provider and displays any matching groups.
7. Select one or more groups from the list of results.
8. Click Next. The Add User/Group window moves to the Role tab.
9. Select one or more applicable roles.
To see a list of the permissions for each role, click >. You can further refine the applicability of each role on the next tab.
10. Click Next. The Add User/Group window moves to the Summary tab.
11. Review your selections, correct any errors, and then click Finish.
Results
The new group appears in the list of configured user accounts and groups.
Modify identity provider group-to-role mapping
Only the Administrator and the Security Administrator roles can modify identity provider group-to-role mapping.
Prerequisites
This procedure contains the process of role assignment, which delegates the authorization to perform particular tasks. Review the list of system-defined roles and identify all necessary roles.
Steps
1. From the left navigation pane, select Administration > Access Control.
The Access Control window appears.
2. Click the Users/Groups tab. PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.
3. Click for any group to see the following information:
Group name Group type Group role Date the group was mapped
4. Select the group that you want to edit, and then click Edit The Edit User/Group window opens on the User Type tab.
5. Review the information on the User Type tab.
The domain and group name are read-only.
6. Click Next. The Edit User/Group window moves to the Role tab.
7. Select one or more applicable roles.
To see a list of the permissions for each role, click >. You can further refine the applicability of each role on the next tab.
8. Click Next. The Edit User/Group window moves to the Summary tab.
9. Review your selections, correct any errors, and then click Finish.
34 Authorization
Results
The changes appear in the list of configured user accounts and groups.
Delete identity provider group-to-role mapping
Only the Administrator and the Security Administrator roles can delete identity provider group-to-role mapping.
Steps
1. From the left navigation pane, select Administration > Access Control.
The Access Control window appears.
2. Click the Users/Groups tab. PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.
3. Select the group that you want to delete, and then click Delete.
4. Click OK to confirm the deletion.
Role-based access control (RBAC) These topics describe the available system roles, the privileges that go along with each role, and how to use them to assign privileges to authenticated users. They also explain how to map external identity provider subjects to PowerProtect Data Manager roles.
Roles
A role defines the privileges and permissions that a user has to perform a group of tasks. When a user is assigned a role, you grant the user all of the privileges that are defined by the role.
By using predefined roles, you can limit access to PowerProtect Data Manager operations by applying the principle of least privilege. System-provided roles and associated privileges on page 35 provides more information about the built-in roles that you can apply to common environments.
Roles are assigned to users and groups during user creation or group mapping. You can change role assignments by editing a user or group. Managing local identity provider users on page 18 and External authorization associations on page 33 provide instructions.
You can assign a user to multiple roles. For example, a user who has both Backup Administrator and Restore Administrator roles but does not have full system administration privileges.
To view a list of available roles, select Administration > Access Control and select the Roles tab. The table displays each role
with a brief description and the number of users who are assigned that role. Click to see a full list of the associated privileges for any role.
System-provided roles and associated privileges
The following sections describe the built-in roles to which you can assign users:
Administrator role
The system Administrator role is responsible for setup, configuration, and all PowerProtect Data Manager management functions. The Administrator role provides systemwide access to all functionality across all organizations. One default Administrator role is assigned at PowerProtect Data Manager deployment. You can add and assign additional Administrator roles to users in your organization who require full access to the system.
Authorization 35
User role
The User role is responsible for monitoring the PowerProtect Data Manager Dashboard, Activity Monitor, and Notifications. The User role provides read-only access to monitor activities and operations. Assign the User role to users in your organization who monitor Dashboard activities, Activity Monitor, and Notifications. Users with this role do not require the ability to configure the system or access backup data. Most privileges that are held by this role are read-only.
Security Administrator role
The Security Administrator role is defined for a limited set of users whose manage user accounts and roles, privileges, audit logs, and authentication sources. These functions are separate from the Administrator role. You can assign this role to individuals with security clearances who may not be responsible for day-to-day operations but who clear other users for access.
Backup Administrator role
The Backup Administrator role is responsible for defining, configuring, and completing protection tasks such as backup operations. Individuals with this limited access role do not require the full set of system administrator permissions. These users work with resources that the system administrator has already configured. The Backup Administrator role can backup assets and manage copies at the asset level but cannot back up at the protection policy level.
Restore Administrator role
The Restore Administrator role is responsible for completing restore operations. Individuals with this limited access role do not require the full set of system administrator permissions. These individuals work with backups that exist in protection storage and with resources that the system administrator has already configured.
Role privileges
The following table details the privileges that correspond to each predefined role. Role privilege definitions on page 38 provides more information about the allowed activities for each privilege.
Table 10. Role privileges
Category Roles
Privilege Administrator User Security Administrator
Backup Administrator
Restore Administrator
Monitoring
View Alerts Y Y N Y Y
Manage Alerts Y N N Y Y
View Historical Data Y Y N N N
View Activities Y Y N Y Y
Manage Activities Y N N Y Y
Manage External Notifications
Y N N N N
Workflow Execution Y N N N N
View Protection Activities Y Y N Y N
View Recovery Activities Y Y N N Y
View System Activities Y Y N N N
Security and System Audit
View Security/System Audit Y Y Y N N
36 Authorization
Table 10. Role privileges (continued)
Category Roles
Privilege Administrator User Security Administrator
Backup Administrator
Restore Administrator
Manage Security/System Audit
Y N Y N N
User and Security Management
View User Security Y Y Y N N
Manage User Security Y N Y N N
Support Assistance and Log Management
View Diagnostic Logs Y Y N N N
Manage Diagnostic Logs Y N N N N
System Management
View System Settings Y Y Y Y Y
Manage System Settings Y N N N N
Asset Management
View Assets Y Y Y Y Y
Manage Assets Y N N Y N
View Asset Sources Y Y N Y Y
Manage Asset Sources Y N N N N
Manage Discovery Jobs Y N N N N
View Host Y Y N Y Y
Manage Host Y N N N Y
View Protection Engines Y Y N Y Y
Manage Protection Engines Y N N N N
View Search Engines Y Y N Y Y
Manage Search Engines Y N N N N
Manage Application Agents Y N N Y N
Storage Management
View Protection Storage Targets
Y Y N Y Y
Manage Protection Storage Targets
Y N N N N
View Storage Array Y Y N Y Y
Manage Storage Array Y N N N N
Manage Network Y N N N N
Protection Policy
View Policies Y Y N Y N
Manage Policies Y N N N N
Recovery and Reuse Management
Rollback to Production Y N N N Y
Authorization 37
Table 10. Role privileges (continued)
Category Roles
Privilege Administrator User Security Administrator
Backup Administrator
Restore Administrator
Recovery to Alternate Location
Y N N N Y
Export for Reuse Y N N N Y
SLA Compliance Management
View SLA/SLO Y N N Y N
Manage SLA/SLO Y N N N N
Copy Management
View Copies Y N N Y Y
Manage Copies Y N N Y N
View Retention Range Y N N Y N
Manage Retention Range Y N N N N
Delete Copies Y N N N N
All Copies Search Y N N N N
Resource Group
View Resource Groups Y Y Y N N
Manage Resource Groups Y N Y N N
Role privilege definitions
System-provided roles and associated privileges on page 35 lists the privileges that PowerProtect Data Manager associates with each integrated role. For each privilege, the following tables identify the specific tasks which a user with that privilege can perform.
Table 11. Monitoring privileges
Privilege Task
View Alerts View alerts and external notifications.
Manage Alerts Create, publish, cancel, ignore, promote, and demote alerts and external notifications.
View Historical Data View historical data that relates to plans, arrays, data targets, data sources, and capacity data.
View Activities View task resources.
Manage Activities Create, view, edit, and cancel activity resources.
Manage External Notifications
Subscribe or unsubscribe a user for alert notifications.
Workflow Execution Start and cancel workflow execution. View the status of workflow execution.
View Protection Activities
View protection activities.
View Recovery Activities
View recovery activities.
View System Activities
View system activities.
38 Authorization
Table 12. Security and system audit privileges
Privilege Task
View Security/System Audit
View security auditrelated events and activities.
Manage Security/ System Audit
Acknowledge security auditrelated events and activities. Export audit/change log of events and activities.
Table 13. Support assistance and log management privileges
Privilege Task
View Diagnostic Logs View log bundle resources. View log information resources. View the log source resource. View logs.
Manage Diagnostic Logs
View and manage log bundle resources. View and edit the log source resource. Export logs.
Table 14. User and security management privileges
Privilege Task
View User Security View users and roles. View identity providers.
Manage User Security Create, view, edit, and delete users. Create, view, edit, and delete roles. Create, view, edit, and delete identity providers. Create, view, edit, and delete user groups.
Table 15. System management privileges
Privilege Task
View System Settings View server disaster recovery artifacts. View maintenance mode. View license information. View server disaster recovery status. View SupportAssist information. View node, configuration EULA, operating system user, update package, component,
configuration status, configuration logs, time zone, and state resources.
Manage System Settings
Manage server disaster recovery activities. Manage SupportAssist gateway connection and other telemetry communications. View and edit node state resources. Update license information. View component, configuration status, configuration logs, time zone, and state resources. View and edit node, configuration EULA, operating system user, and lockbox resources. Create, view, edit, and delete update package resources.
Table 16. Asset management privileges
Privilege Task
View Assets View assets.
Manage Assets Create, view, edit, and delete assets. Add, view, edit, and delete protection policy assets. Perform manual backups of protected assets.
View Asset Sources View asset sources.
Authorization 39
Table 16. Asset management privileges (continued)
Privilege Task
Manage Asset Sources Create, view, edit, and delete asset sources.
Manage Discovery Jobs Create, view, edit, and delete discovery jobs.
View Host View asset hosts.
Manage Host Create, view, edit, and delete asset hosts.
View Protection Engines
View protection engines.
Manage Protection Engines
Create, view, edit, and delete protection engines.
View Search Engine View the Search Engine.
Manage Search Engine Create, view, edit, and delete the Search Engine.
Manage Application Agents
Install and update the agent on an application host.
Table 17. Storage management privileges
Privilege Task
View Protection Storage Targets
View storage targets.
Manage Protection Storage Targets
Create, view, edit, and delete storage targets.
View Storage Array View storage arrays.
Manage Storage Array Create, view, edit, and delete storage arrays.
Manage Network Assign network interfaces to storage arrays.
Table 18. Protection policy privileges
Privilege Task
View Policies View a list of all protection policies. View the storage targets of protection policy. View the accessible assets that are assigned to protection policies. View protection policy schedules. View protection policy networking and other advanced options. View file filters. View protection rules.
Manage Policies Create, view, edit, and delete protection policies. Disable protection policies. Create, view, edit, and delete schedule resources. Add, view, and edit protection policy storage targets. Perform manual backups of protected assets. Create, view, edit, and delete file filters. Create, view, edit, and delete protection rules filters.
Table 19. Recovery and reuse management privileges
Privilege Task
Rollback to Production
Create, view, edit, and start restore to production operations. Create, view, edit, and delete resources that are related to media manager assets.
Recovery to Alternate Location
Create, view, edit, and start restore to alternate location operations.
40 Authorization
Table 19. Recovery and reuse management privileges (continued)
Privilege Task
Create, view, edit, and delete resources that are related to media manager assets.
Export for Reuse Create, view, edit, and start export and reuse operations. Create, view, edit, and delete resources that are related to media manager assets.
Table 20. SLA compliance management privileges
Privilege Task
View SLA/SLO View compliance results.
Manage SLA/SLO Create, view, edit, delete, and export compliance results.
Table 21. Copy management privileges
Privilege Task
View Copies View asset copies and backups.
Manage Copies Edit asset copy and backup retention. Recall copies from the cloud. Edit asset copy and backup recall retention.
View Retention Range View retention range.
Manage Retention Range
Manage retention range across all copies and backups.
Delete Copies Delete copies and backups.
All Copies Search Manage available copies and backups.
Table 22. Resource group privileges
Privilege Task
View Resource Groups View a list of all resource groups. View resource group details.
Manage Resource Groups
Create, view, edit, and delete resource groups.
Authorization 41
Log Settings
Topics:
Authentication Server logging Add a log bundle
Authentication Server logging The Authentication Server has two types of log files. Administrative logsContain information used for troubleshooting and maintenance. Audit logsContain security-related information that appears in chronological order.
Add a log bundle Use the following procedure to add a log bundle.
About this task
NOTE: You can add a maximum of 10 log bundles.
Steps
1. From the PowerProtect Data Manager user interface, click , select Support, and then click Logs.
2. Click Add to add a log bundle. The Add Log Bundle window appears.
3. Select the systems for the log bundle (Data Manager, VM Direct Engines, or, if Cloud DR is deployed, CDRS), set the log bundle duration, and click Save. The Jobs window displays the progress of the log bundle creation. Also, a green banner in the UI indicates that the log bundle has successfully been created. If you want to dismiss the banner, click X.
4. To delete the log bundle, select the box to the left of log bundle and click Delete.
The Log Capacity indicates how much space (in GB) remains on the disk for logs and the percentage of the disk in use for log storage.
5. To download the log bundle, click the bundle name in the Bundle Name column.
4
42 Log Settings
Network and Communication Security Settings
This chapter describes how to ensure PowerProtect Data Manager uses secure channels for network communication and how to configure PowerProtect Data Manager in a firewall environment.
Topics:
Port usage Communications security settings PowerProtect Data Manager firewall support
Port usage This table summarizes the port requirements for PowerProtect Data Manager and its associated internal and external components or systems. PowerProtect Data Manager audits and blocks all ports that are not listed below.
The PowerProtect DD Security Configuration Guide provides more information about ports for DD systems and protocols.
Table 23. PowerProtect Data Manager port requirements
Source system Destination system Port Protocol TLS supported
Notes
Backup clientsa DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.
Backup clientsa DD system 2049 Proprietary TLS 1.2 Optional DD Boost client TLS encryption.
Backup clientsa DD system 2052 TCP No NFS mountd, not for data.
Backup clients DD Global Scale 2053 TCP TLS 1.2 DD Boost connection.
Backup clientsa PowerProtect Data Manager
8443 HTTPS TLS 1.2 REST API service.
Backup clients VMAX SE server 2707 Proprietary TLS 1.2 Backup clients require access to the default port 2707 on the VMAX SE server. Applies to Storage Direct.
Callhome (SupportAssist)
PowerProtect Data Manager
22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.
Callhome (SupportAssist)
PowerProtect Data Manager
443 HTTPS TLS 1.2 SSH for remote support.
ESXi DD systemb 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.
ESXi DD systemb 2049 Proprietary TLS 1.2 NFS datastore and DD Boost. NFS is unencrypted. DD Boost is encrypted.
ESXi DD systemb 2052 TCP No NFS mountd, not for data.
5
Network and Communication Security Settings 43
Table 23. PowerProtect Data Manager port requirements (continued)
Source system Destination system Port Protocol TLS supported
Notes
Kubernetes cluster DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.
Kubernetes cluster DD system 2049 Proprietary TLS 1.2 Optional DD Boost client TLS encryption.
Kubernetes cluster DD system 2052 TCP TLS 1.2 NFS mountd, not for data.
Kubernetes cluster ESXi 902 TCP TLS 1.2 vSphere client access for PVCs using VMware CSI. Not required for Tanzu Kubernetes Guest clusters.
Kubernetes cluster Protection engine 9090 HTTPS TLS 1.2/1.3 Required for Tanzu Kubernetes Guest clusters.
Kubernetes cluster vCenter 443 HTTPS TLS 1.2 Primary management interface for vSphere using the vCenter Server, including the vSphere client for PVCs using VMware CSI. Not required for Tanzu Kubernetes Guest clusters.
NAS protection engine NAS appliance 443 HTTPS TLS 1.2 Management access for Unity and PowerStore appliances.
NAS protection engine NAS appliance 8080 HTTPS TLS 1.2 Management access for PowerScale/ Isilon appliances.
PowerProtect Data Manager
Backup clients 7000 HTTPS TLS 1.2 Microsoft SQL Server, Oracle, Microsoft Exchange Server, SAP HANA, and file system. Requirement applies to Application Direct and VM Direct.
PowerProtect Data Manager
Callhome (SupportAssist)
25 SMTP TLS 1.2 TLS version in use depends on the mail server. TLS used where possible.
PowerProtect Data Manager
Callhome (SupportAssist)
465 TCP TLS 1.2
PowerProtect Data Manager
Callhome (SupportAssist)
587 TCP TLS 1.2
PowerProtect Data Manager
Callhome (SupportAssist)
9443 HTTPS TLS 1.2 REST API for service notification.
PowerProtect Data Manager
DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.
PowerProtect Data Manager
DD system 2049 Proprietary No Server DR NFS connections. Used only for metadata, client name, and indexing, not for backup data.
PowerProtect Data Manager
DD system 2052 TCP/UDP No NFS mountd, not for data.
PowerProtect Data Manager
DD system 3009 HTTPS TLS 1.2 Communication with DDMC for configuration and discovery.
PowerProtect Data Manager
ESXi 443 HTTPS TLS 1.2 Depends on ESXi configuration and version.
PowerProtect Data Manager
Kubernetes cluster 6443 Proprietary TLS 1.2 Connects to the Kubernetes API server. Encryption depends on the Kubernetes cluster configuration.
44 Network and Communication Security Settings
Table 23. PowerProtect Data Manager port requirements (continued)
Source system Destination system Port Protocol TLS supported
Notes
PowerProtect Data Manager supports TLS 1.2.
PowerProtect Data Manager
LDAP server 389 TCP/UDP No Insecure LDAP port, outbound only. Use port 636 for encryption.
PowerProtect Data Manager
LDAP server 636 TCP TLS 1.2 LDAPS, depending on LDAP configuration in use. Outbound only.
PowerProtect Data Manager
NAS appliance 443 HTTPS TLS 1.2 Management access for Unity and PowerStore appliances.
PowerProtect Data Manager
NAS appliance 8080 HTTPS TLS 1.2 Management access for PowerScale/ Isilon appliances.
PowerProtect Data Manager
NAS share 139 TCP TLS 1.2 Windows file server shares (CIFS).
PowerProtect Data Manager
NAS share 443 HTTPS TLS 1.2 NetApp shares (NFS and CIFS). Also used for NAS share verification check.
PowerProtect Data Manager
NAS share 445 TCP TLS 1.2 Windows file server shares (CIFS).
PowerProtect Data Manager
NAS share 2049 TCP TLS 1.2 Linux file server shares (NFS).
PowerProtect Data Manager
NTP server 123 NTP No Time synchronization.
PowerProtect Data Manager
PowerProtect Data Manager - Catalog
9760 TCP Internal only. Blocked by firewall.
PowerProtect Data Manager
PowerProtect Data Manager - Configuration Manager
55555 TCP Internal only. Blocked by firewall.
PowerProtect Data Manager
PowerProtect Data Manager - Elastic Search
9200 TCP Internal only.
PowerProtect Data Manager
PowerProtect Data Manager - Elastic Search
9300 TCP Internal only.
PowerProtect Data Manager
PowerProtect Data Manager - Embedded VM proxy
9095 TCP Internal only. Blocked by firewall.
PowerProtect Data Manager
PowerProtect Data Manager - Quorum peer
2181 TCP Internal only. Blocked by firewall.
PowerProtect Data Manager
PowerProtect Data Manager - RabbitMQ
5672 TCP Internal only. Blocked by firewall.
PowerProtect Data Manager
PowerProtect Data Manager - Secrets manager
9092 TCP Internal only.
PowerProtect Data Manager
PowerProtect Data Manager - VM Direct infrastructure manager
9097 TCP Internal only. Blocked by firewall.
PowerProtect Data Manager
PowerProtect Data Manager - VM Direct orchestration
9096 TCP Internal only. Blocked by firewall.
Network and Communication Security Settings 45
Table 23. PowerProtect Data Manager port requirements (continued)
Source system Destination system Port Protocol TLS supported
Notes
PowerProtect Data Manager
Protection engine 22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.
PowerProtect Data Manager
Protection engine 9090 HTTPS TLS 1.2 REST API service.
PowerProtect Data Manager
Protection engine 9613c Proprietary TLS 1.2
PowerProtect Data Manager
Reporting engine 9002 TCP TLS 1.2 REST API service.
PowerProtect Data Manager
Search cluster 9613c Proprietary TLS 1.2 Infrastructure node agent management of Search Engine nodes.
PowerProtect Data Manager
Search cluster 14251 Proprietary TLS 1.2 Search query REST API endpoint.
PowerProtect Data Manager
SMI-S 5989 HTTPS TLS 1.2 Communication with SMI-S provider. Discovery.
PowerProtect Data Manager
Storage Direct system 3009 HTTPS TLS 1.2 Discovery.
PowerProtect Data Manager
UI 443 HTTPS TLS 1.2 Between the browser host and the PowerProtect Data Manager system.
PowerProtect Data Manager
Update Manager UI 14443 HTTPS TLS 1.2 Connects the host that contains the update package to the PowerProtect Data Manager system.
PowerProtect Data Manager
vCenter 443 HTTPS TLS 1.2 vSphere API for direct restore, discovery, initiating Hot Add transport mode, and restores including Instant Access restore. Depends on vCenter configuration.
PowerProtect Data Manager
vCenter 7444 Proprietary TLS 1.2 vCenter single sign-on.
PowerProtect Data Manager
VMAX Solutions Enabler server
2707 Proprietary TLS 1.2 Storage Direct functionality. PowerProtect Data Manager uses the Solutions Enabler default server port for configuration steps and to control active snapshot management for SnapVX, including for PP-VMAX.
Protection engine DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.
Protection engine DD system 2049 Proprietary TLS 1.2 Optional DD Boost client TLS encryption.
Protection engine DD system 2052 TCP No NFS mountd, not for data.
Protection engine DD system 3009 HTTPS TLS 1.2 DD REST API service.
Protection engine ESXi 443 HTTPS TLS 1.2 Client connections.
Protection engine ESXi 902 TCP TLS 1.2 vSphere client access.
Protection engine Guest VM 9613c Proprietary TLS 1.2 VM Direct Agent provides capabilities for file-level restore and application- aware protection.
46 Network and Communication Security Settings
Table 23. PowerProtect Data Manager port requirements (continued)
Source system Destination system Port Protocol TLS supported
Notes
Protection engine NAS agent Docker container
443 HTTPS TLS 1.2 Applies for NAS only. Internal only. Blocked by firewall.
Protection engine Search cluster 14251 TCP TLS 1.2 Search query REST API endpoint.
Protection engine vCenter 443 HTTPS TLS 1.2 Primary management interface for vSphere using the vCenter server, including the vSphere client.
Protection engine vCenter 7444 TCP TLS 1.2 Secure token service.
Protection engine Protection engine - RabbitMQ
4369 TCP Internal only. Blocked by firewall.
Protection engine Protection engine - RabbitMQ
5672 TCP Internal only. Blocked by firewall.
Reporting engine PowerProtect Data Manager
8443 TCP TLS 1.2 REST API service for collecting reporting data.
Search cluster DD system 111 TCP No Server DR. Dynamic port detection and mapping. Used only for port verification, not for data.
Search cluster DD system 2049 Proprietary No Server DR NFS connections. Used only for metadata, client name, and indexing, not for backup data.
Search cluster DD system 2052 TCP/UDP No Server DR. NFS mountd, not for data.
Source DD system Target DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.
Source DD system Target DD system 2049 Proprietary TLS 1.2
Source DD system Target DD system 2051 Proprietary TLS 1.2
Source DD system Target DD system 2052 TCP No NFS mountd, not for data.
Target DD system Source DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.
Target DD system Source DD system 2049 Proprietary TLS 1.2
Target DD system Source DD system 2051 Proprietary TLS 1.2
Target DD system Source DD system 2052 TCP No NFS mountd, not for data.
Update Manager UI PowerProtect Data Manager
14443 HTTPS TLS 1.2 Connects the host that contains the update package to the PowerProtect Data Manager system.
User PowerProtect Data Manager
22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.
User PowerProtect Data Manager
80 HTTP No Redirect to HTTPS.
User PowerProtect Data Manager
443 HTTPS TLS 1.2 Connects the browser host to the PowerProtect Data Manager system.
User PowerProtect Data Manager
8443 HTTPS TLS 1.2 REST API service.
Network and Communication Security Settings 47
Table 23. PowerProtect Data Manager port requirements (continued)
Source system Destination system Port Protocol TLS supported
Notes
User Search Cluster 22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.
User Protection engine 22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.
vCenter ESXi 443 HTTPS TLS 1.2 vSphere client to ESXi/ESX host management connection.
vCenter PowerProtect Data Manager
443 HTTPS TLS 1.2 vCenter plug-in UI.
vCenter PowerProtect Data Manager
8443 HTTPS TLS 1.2 REST API service.
vCenter PowerProtect Data Manager
9009 HTTPS TLS 1.2/1.3 vSphere APIs for Storage Awareness (VASA) provider, storage policy based management (SPBM) service within PowerProtect Data Manager.
a. Applies to Application Direct, Storage Direct, and VM Direct (VM application-aware only). b. Instant access restore. NFS connection established under PowerProtect Data Manager control of vSphere from the ESXi
node to the DD system. Can be directed to any ESXi node, so allowed ports would be between any ESXi node to any DD system used by PowerProtect Data Manager.
c. Port number is a default which you can change on a per-agent basis, and which can change dynamically in case of listening conflicts.
The term "protection engine" in this table refers to all types of protection engine: VM Direct, NAS, and Kubernetes, unless otherwise specified.
For VM application-aware backups, open the ports for the protection engine and for the backup clients on the guest VM.
For NAS assets, open any custom ports between PowerProtect Data Manager, the NAS protection engine, and the NAS that may be required for access to specific shares. You can supply custom port information for connections to NAS appliances and shares as part of the process for adding NAS asset sources.
Communications security settings The following topics describe how to secure communications between PowerProtect Data Manager and remote systems, such as clients.
Virtual networks (VLANs)
PowerProtect Data Manager can separate management and backup traffic onto different virtual networks (VLANs). Virtual networks help to improve data traffic routing, security, and organization.
The initial steps to configure and add each virtual network are one-time events. The subsequent steps to assign virtual networks to protection policies or assets happen as required.
The PowerProtect Data Manager Administration and User Guide contains information about supported network topologies and how to configure virtual networks. Configuring virtual networks is considered part of modifying the system settings.
Typically, you assign virtual networks to protection policies and assets when you create a protection policy. The user guide for each agent type describes this process. However, the PowerProtect Data Manager Administration and User Guide contains instructions to assign virtual networks to existing policies and override network assignments on a per-asset basis.
48 Network and Communication Security Settings
Configure SSH session timeout
This topic describes how the PowerProtect Data Manager console behaves for connections with prolonged inactivity. These steps also change the behavior of the timeout mechanism that regulates SSH sessions.
About this task
The default SSH session timeout is 3600 seconds (60 minutes).
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Using a Linux text editor, open /etc/ssh/sshd_config.
3. Modify the following property:
Property Description
ClientAliveInterval The number of seconds of inactivity after which PowerProtect Data Manager terminates the SSH session.
4. Save and close the file.
5. Reload the SSH daemon to apply the changes:
systemctl reload sshd
Configure REST API token lifespans
This topic describes PowerProtect Data Manager REST API tokens and the default token expiry intervals. These steps also change the behavior of the REST API token expiry mechanism.
About this task
The REST API uses two separate types of tokens: access and refresh. Access tokens are bearer tokens that authenticate REST API calls. Refresh tokens provide enough information to get a new access token after the access token expires.
Using refresh tokens enables you to set shorter lifespans on access tokens without causing frequent credential requests. Shorter access token lifespans reduce the risk of compromised token values. The OAuth Authorization Framework provides more information about token types.
The default time unit is MINUTES. Available time units include: DAYS, HOURS, MINUTES, MONTHS, SECONDS, and WEEKS.
The default access token expiry time is 480. The default refresh token expiry time is 1440.
Steps
1. Connect to the PowerProtect Data Manager console as an admin user.
2. Using a Linux text editor, open /usr/local/brs/lib/aaa/config/application-server-custom.properties.
3. Modify the following properties:
Property Description
aaa.jwt.token.chrono-unit The unit for the expiration time properties.
aaa.jwt.token.access-expiration-time The amount of time after which access tokens expire.
aaa.jwt.token.refresh-expiration-time The amount of time after which refresh tokens expire.
4. Save and close the file.
5. Apply the new configuration:
aaa restart
Network and Communication Security Settings 49
PowerProtect Data Manager firewall support PowerProtect Data Manager is a single node in a virtual appliance that uses the Linux SLES 12 firewall to protect and limit external access to the system. PowerProtect Data Manager uses a direct socket connection to communicate and move data internally and across the network to the required service with minimal overhead.
To enable communication between the PowerProtect Data Manager system and other applications, PowerProtect Data Manager configures firewall rules for ports that are used for inbound and outbound communication.
Modify firewall rules
The PowerProtect Data Manager system configures firewall rules to block inbound and outbound communications on ports that are not required by PowerProtect Data Manager components for communication.
About this task
There are three ways to modify the firewall rules:
For permanent changes, you can add entries to the list of custom ports. For temporary changes, you can use the iptables command, which is part of the Linux operating system. Users should be
familiar with the operation and syntax for iptables, including order of precedence, before using this method. Temporary changes do not persist through firewall restarts.
You can also use the PowerProtect Data Manager REST API to open outbound ports. The PowerProtect Data Manager Public REST API documentation provides instructions for this method.
NOTE: Dell EMC recommends that you do not modify existing firewall rules, because modification can impact successful
operations.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
For permanent changes:
2. Add port numbers on separate lines to /etc/sysconfig/scripts/custom-ports.
For example:
139 445 6443 8080 Save and close the file.
3. Stop the firewall service:
SuSEfirewall2 stop 4. Start the firewall service:
SuSEfirewall2 start For temporary changes:
5. Open an outbound port:
/usr/sbin/iptables -I OUTPUT -p tcp --dport
This example inserts the new rule at the head of the rule chain and opens the specified TCP port from PowerProtect Data Manager to any destination.
6. Open an inbound port:
/usr/sbin/iptables -I INPUT -p tcp --dport
This example inserts the new rule at the head of the rule chain and opens the specified TCP port to PowerProtect Data Manager from any destination.
50 Network and Communication Security Settings
Data Security Settings
Topics:
Data storage security settings Encrypting sensitive data Backup and restore encryption Audit logging and monitoring system activity
Data storage security settings The following topics describe how you can secure PowerProtect Data Manager resources and backup data against unauthorized access.
Protection engine settings
The PowerProtect Data Manager Virtual Machine User Guide contains information about configuring the user-accessible options for protection engines.
Some protection engines, such as the transparent snapshot data mover (TSDM), have no configuration options. The PowerProtect Data Manager Virtual Machine User Guide advises that you use the default virtual switch configuration which rejects MAC address changes, forged transmits, and promiscuous mode connections.
The user guide also provides the necessary instructions and privileges to configure a dedicated vCenter user account for TSDM.
Encrypting sensitive data PowerProtect Data Manager uses an encrypted lockbox to securely store sensitive information in a central location.
Credential security on page 28 provides more information about how PowerProtect Data Manager uses lockboxes and how the stored secrets are protected.
Backup and restore encryption You can encrypt backup or restore data that is in transit for centralized and self-service operations with DD Boost encryption, using TLS. Encryption of backup and restore data in-flight is available for application assets and NAS assets only.
By default, PowerProtect Data Manager supports an encryption strength of HIGH and uses DD Boost anonymous authentication mode. The DD Boost encryption software uses the ADH-AES256-SHA cipher suite. The DD Boost for OpenStorage Administration Guide provides more information about the cipher suite for high encryption.
The following table lists the workloads and operations that support encryption of data in-flight:
NOTE: Refer to the agent user guides for more information about the centralized and self-service operations that are
supported.
Table 24. Supported workloads
Workload Centralized backup Centralized restore Self-service backup Self-service restore
File System with Application Direct
Yes Yes (image-level restore only)
Yes Yes (image-level restore only)
6
Data Security Settings 51
Table 24. Supported workloads (continued)
Workload Centralized backup Centralized restore Self-service backup Self-service restore
Microsoft SQL Server with Application Direct
Yes Yes (database-level restore only)
Yes Yes (database-level restore only)
Microsoft Exchange Server with Application Direct
Yes N/A Yes Yes
Oracle with Application Direct
Yes N/A Yes Yes
SAP HANA with Application Direct
Yes N/A Yes Yes
Network-attached storage (NAS)
Yes Yes N/A N/A
Enabling encryption imposes additional overhead. Backup and restore performance for any client could be affected by 5-20% with encryption enabled.
You can enable or disable backup and restore encryption in the PowerProtect Data Manager UI.
PowerProtect Data Manager supports backup and restore encryption for all supported DD Boost and DDOS versions. The most up-to-date software compatibility information for PowerProtect Data Manager is provided in the E-Lab Navigator.
NOTE: You do not need to enable in-flight encryption on connected DD systems. If DD encryption settings exist, the higher
setting takes precedence.
Enable backup and restore encryption
You can ensure that the backup and restore content is encrypted when read on the source system, transmitted in encrypted form, and then decrypted before it is saved on the destination storage.
Prerequisites
Review the information in Backup and restore encryption on page 51 to learn more about backup and restore encryption.
The encryption settings determine if the data transfer is encrypted while in-flight during backup and restore operations.
For Microsoft SQL Server, Microsoft Exchange Server, File System, SAP HANA, and Oracle workloads, backup and restore encryption is only supported for Application Direct hosts.
When a new host is added to PowerProtect Data Manager, host configuration is run to push the encryption settings to the host.
Only hosts that have the same version of PowerProtect Data Manager application agents installed support the host configuration.
About this task
Steps
1. From the PowerProtect Data Manager UI, click , and then select Security.
The Security dialog box appears.
2. Click the Backup/Restore Encryption switch so it is enabled, and then click Save.
Next steps
The Jobs > System Job window of the PowerProtect Data Manager UI creates a job to enable protection encryption. This job pushes encryption settings to the hosts to be used for self-service operations. Within the system job, a host configuration job is created for each host. If an error occurs, you can retry the system job or individual host configuration job.
NOTE: For centralized backup and restore operations, PowerProtect Data Manager sends the encryption settings to the
application agents on the Application Direct hosts and network-attached storage (NAS).
52 Data Security Settings
You can disable encryption for backup and restore content by clicking the Backup/Restore Encryption switch. PowerProtect Data Manager creates a system job in the Jobs > System Job window to disable protection encryption.
Audit logging and monitoring system activity The Linux audit daemon (auditd) tracks and logs security-relevant events on the PowerProtect Data Manager system.
Users with the Administrator role can use auditd to monitor the following events:
File access System calls Login and logout activity of users
Audit logging enables you to discover access violations, changed or deleted files, failed authentication, and so on.
Configuring the audit service
The Linux auditd daemon captures events from the Linux kernel and records the entries in a log file for inspection. The auditd log entries are based on a set of rules that specify which events are defined in the log files. Auditing is disabled by default. To modify the default audit rules, edit the /etc/audit/audit.rules file.
About this task
To enable auditing, perform the following steps.
NOTE: You can also use the YaST tool to enable and disable auditing.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. To start auditd, type one of the following commands:
Continuous loggingsystemctl enable auditd Log until system restart service auditd start
NOTE: To disable continuous auditd logging, type systemctl disable auditd. To stop auditd, type service auditd stop
3. To review auditd log entries, review the files in the /var/log/audit/audit.log directory.
NOTE: The /var/log/audit/audit.log directory is limited to five files, and log rotation occurs when the file size
reaches 6 MB. To modify the default configuration, edit the /etc/audit/auditd.conf file, where:
num_logsSpecifies how many log files to concurrently retain in the directory.
max_log_fileSpecifies the maximum log file size in MB.
max_log_file_action Instructs the auditd daemon to rotate the log files when the log files reach the maximum
size.
Do not modify other parameters unless specifically instructed to do so by Support.
4. To produce a summary report from the audit logs, type aureport --summary
Viewing audit events in the UI
With the Administrator, Backup Administrator, Restore Administrator, and User roles, you can view audit events to monitor system activity.
About this task
The following actions generate an audit event:
User login and logout Creating, deleting, or updating a user
Data Security Settings 53
Assigning or unassigning a role to a user
To view audit events in the UI, perform the following steps.
Steps
1. Log in to the PowerProtect Data Manager UI with an account that has one of the indicated roles.
2. Go to Alerts > Audit Logs.
View and manage alerts
Alerts enable you to track the performance of data protection operations in PowerProtect Data Manager so that you can determine whether there is compliance to service level objectives. With the Administrator, Backup Administrator, Restore Administrator, or User role, you can access the alerts from the Alerts window. However, only some of these roles can manage alerts.
Steps
1. From the PowerProtect Data Manager UI left navigation pane, select Alerts.
You can also click the icon in the top banner, and then click the links to view unacknowledged alerts of all statuses (critical, warning, and informational), or only the unacknowledged critical alerts.
NOTE: Clicking the New tag displays only the unacknowledged alerts that have been generated within the last 24 hours.
The number that appears next to the is the total number of unacknowledged critical alerts over the last 24 hours.
The Alerts window displays.
2. Select the System tab. A table with an entry for each applicable alert displays.
By default, only unacknowledged critical alerts from the last 24 hours display, unless you selected to view all
unacknowledged alerts from the links under the icon.
If filter tags have already been applied, the window displays these filter tags. Click X next to any of these filter tags to clear a filter, and the table view updates with the applicable selections. You can sort the alerts in the table by Severity (Critical, Warning, Informational), Date, Category, or Status (Acknowledged or Unacknowledged).
3. Select the time (last 24 hours, last 3 days/7 days/30 days), a specific date, or a time range for the alerts that you want to view. You can also select All Alerts from this list to display information for all alerts that match the filter tags.
4. Optionally, clear the Show only unacknowledged alerts checkbox if you want to view both acknowledged and unacknowledged alerts. If you clear this checkbox, the Unacknowledged filter tag is also cleared.
5. To view more details about a specific entry, click next to the entry in the table.
6. For the following steps, log in to the PowerProtect Data Manager UI with an account that has the Administrator, Backup Administrator, or Restore Administrator role.
7. To acknowledge one or more alerts, select the alerts and then click Acknowledge.
8. To add or edit a note for the alert, click Add/Edit Note, and when finished, click Save.
9. To export a report of alert information to a .csv file which you can download for Excel, select an entry in the table and then click Export.
NOTE: If you apply any filters in the table, exported alerts include only those alerts that satisfy the filter conditions.
Export audit logs
With the Administrator or Security Administrator role, you can export audit log records to a CSV file of audit data that you can download and open in Excel. Only the Administrator role can change the retention period.
Steps
1. Go to Administration > Audit Logs.
The list of audit logs appears, which displays the following information: Changed at
54 Data Security Settings
Audit Type Description Changed By Object Changed Previous Values New Values
2. To set the retention period (in days) for the audit log, select Set Boundaries and update the retention period.
Only the Administrator role can perform this step.
3. To add a note for the audit log, click >, enter a note in the Note field, and click Save.
4. Click Export.
Data Security Settings 55
Cryptography
Topics:
Security certificates Certificate management
Security certificates A default installation of PowerProtect Data Manager creates self-signed security certificates that secure communication with other components. As you configure the server and add assets, PowerProtect Data Manager stores additional certificates for each component.
The Administrator and Security Administrator roles can review the Administration > Certificates page in the UI. This page contains three tabs that list the installed security certificates. Each tab provides information about certificate uses, expiry dates, issuers, and so forth.
Using descriptive hostnames and fully qualified domain names for each application agent or external component aids in matching security certificates to assets or systems. You can compare the values in the Host column for the certificates to the hostnames and addresses for asset sources, protection storage, and so forth. Common names are arbitrary strings of characters but frequently include hostnames and IP addresses, especially for external components.
Internal components
The certificates on the Internal tab secure access to components that are part of the PowerProtect Data Manager server, such as the UI and REST API:
ppdmserver holds the certificate that PowerProtect Data Manager presents to secure communication with the UI and the REST API.
restserver holds the default self-signed certificates from deployment.
Certificate management on page 58 provides instructions to replace the default self-signed security certificates on the Internal tab with certificates from an approved certificate authority (CA) of your choice.
If you replace the self-signed certificates, PowerProtect Data Manager replaces the ppdmserver and restserver certificates with a new certificate called custom. This single entry holds the host certificate that you provided during replacement. Both the UI and the REST API use the custom certificate.
Application agents
The certificates on the Application Agents tab secure access to the agents, which are under the control of PowerProtect Data Manager but exist outside the server. Application agents create certificate signing requests during the registration process to obtain signed security certificates from PowerProtect Data Manager. This list shows application agents that have received signed certificates.
The process of creating an application agent certificate incorporates information about the asset source fully qualified domain name and IP address. The agent provides a unique common name during the signing request.
External components
The certificates on the External Servers tab secure access to components or systems that are beyond the control of the server, but where you have approved the communication.
For example, directory services and protection storage systems that provide services to PowerProtect Data Manager are external components.
7
56 Cryptography
Protection engines and security certificates
Protection engines, whether for VM Direct, NAS, or Kubernetes, are considered under the control of PowerProtect Data Manager.
PowerProtect Data Manager manages all aspects of the protection engine life cycle, including deployment, upgrade, and removal. Customers do not regularly interact with protection engines other than through PowerProtect Data Manager.
Even if you replace the default self-signed security certificates for other components, protection engines continue to use the self-signed certificates.
Application agents and security certificates
If you have replaced the default self-signed security certificates, the behavior of application agents depends on the installed version of the agent software.
For application agents from PowerProtect Data Manager 19.8 and earlier, these legacy agents are unaware of changes to the certificates that secure communication with the server. Legacy agents lack the ability to use the new security certificates. Subsequently, legacy agents always use the default self-signed security certificate to secure all communication with PowerProtect Data Manager, even if you replace the UI and REST API certificates. In the UI, this is the restserver certificate on the Internal tab.
Application agents from PowerProtect Data Manager 19.9 and later can automatically retrieve new security certificates from the server at registration. Agents then use the new certificates to secure communication with PowerProtect Data Manager.
Application agent security certificate files
For Windows assets, the certificates reside in the DPSAPPS\AgentService\ssl folder, which is related to the location where you installed the application agent software.
globalca.pemthe custom server certificate.
ecdm-rootca.pemthe PowerProtect Data Manager server root certificate.
privKey.csrthe certificate signing request from which the signed application agent certificate is generated.
privKey.pemthe private key for the application agent certificate signing request.
agent-cert.pemthe signed application agent certificate.
If you have replaced the PowerProtect Data Manager server certificates, globalca.pem contains the new security certificates from the server.
Exchange the PowerProtect Data Manager security certificate with external components
While PowerProtect Data Manager maintains a certificate store for trusted external components, you can also exchange the server certificate with external components for greater protection.
PowerProtect Data Manager automatically presents the server certificate during the initial handshake when you connect to the server from an external component. The external component normally accepts and stores the server certificate for later use and authentication. No further action is required.
If the server certificate was not automatically presented or retained, you can get the certificate through the REST API. The PowerProtect Data Manager Public REST API documentation provides more information.
Use curl or a REST API client of your choice. An access token is not required. However, the REST API client may require an additional parameter to allow connections with servers that use self-signed certificates.
GET https://{{server}}:{{port}}/api/v2/jwks The REST API service returns a status code and the server certificate:
200 OK { "keys": [ {
Cryptography 57
"kty": "EC", "use": "sig", "crv": "P-256", "kid": "a86a7118-99f9-4768-bdda-8012474c8685", "x5c": [ "MIIDBTCCAe2gAwIBAgIESvEK5DANBgkqhkiG", "MIIDizCCAnOgAwIBAgIEMayrSDANBgkqhkiG" ], "x": "GdPBk9pB5VkppISLMHhKaQ5EIBsPeaoERgarTagRJko", "y": "QiVYHOUdiGPzCW8NvJifB5qVkShDcmsKd8F2g_zdGvE", "alg": "ES256" }, { "kty": "RSA", "e": "AQAB", "use": "sig", "kid": "7452f2bb-3a83-4569-a0fc-7fe255284fb4", "alg": "RS256", "n": "jTgO5NHdgzLhkv619gjh5Uz07v8-ZFHtpsDT" } ] } Some values in this example were truncated to fit the available space.
Certificate management The following topics describe how to replace the default self-signed security certificates for PowerProtect Data Manager with certificates from an approved CA. You can replace the certificates for the UI server and the REST API.
If you have added any vCenter servers, reinstall the PowerProtect plug-in after you replace the security certificates. Reinstall the PowerProtect plug-in for the vSphere client on page 60 provides more information.
Regardless of the method that you select, if the UI continues to present the default self-signed security certificates, Restart the web service on page 61 provides instructions.
Prerequisites
The new host certificate must:
Contain the PowerProtect Data Manager server fully qualified domain name in the Subject Common Name (CN) and Subject Alternative Name (SAN) fields.
Not contain the PowerProtect Data Manager server IP address in the SAN field.
UI method
Providing security certificates over HTTPS is secure enough for most environments. Where additional precautions are required, use the manual method to replace the certificates.
Replacing the security certificates through the PowerProtect Data Manager UI requires a private certificate in PKCS#1 (RSA) PEM format and a public certificate chain in PEM format.
Complete Replace security certificates through the UI on page 59.
CLI method
The CLI method requires a private key in PKCS#1 (RSA) PEM format and a public certificate chain in PEM format. Use a secure method to transfer the certificates and keys to the PowerProtect Data Manager server.
Complete Replace security certificates with the CLI tool on page 59. Appendix REST API Procedures on page 70 describes alternative ways for advanced users to manually replace the security certificates.
58 Cryptography
Virtual networks
Adding a virtual network creates a PowerProtect Data Manager interface on that virtual network. If you add a virtual network after you replace the default self-signed certificates, then the replacement certificates may not match the new interface. In this case, connections through the new interface can still produce a certificate warning even when the default interface does not.
To avoid this condition, install wildcard certificates for environments with virtual networks, and access the virtual network interfaces through FQDNs. For example, if the PowerProtect Data Manager server is test.example.com, then:
Name the virtual network interfaces using a subdomain pattern such as vlan-10.test.example.com, vlan-20.test.example.com, and so forth.
Replace the default certificates with signed wildcard certificates for *.test.example.com. Use the FQDN vlan-10.test.example.com to access PowerProtect Data Manager from VLAN 10, and so forth.
Before you replace the security certificates, review the applicable limitations of wildcard certificates and requirements for Subject Alternative Names.
Replace security certificates through the UI
This method replaces the certificates for the UI server and the REST API. Only the Administrator and the Security Administrator roles can replace the certificates.
Prerequisites
Review the information in Certificate management on page 58.
Steps
1. From the left navigation pane, select Administration > Certificates.
The Certificates window appears.
2. On the Internal tab, click Replace Certificates. The Replace Certificates dialog box opens.
3. For the server's private certificate, click Select File and browse to the file that contains the RSA private certificate.
Alternatively, you can paste the contents of the certificate file into the corresponding field.
PowerProtect Data Manager validates the input. Correct any errors.
4. If the private certificate is encrypted, the Encrypted Private Key Password field appears. Type the password.
5. For the server's public certificate chain, click Select File and browse to the file that contains the signed certificate chain.
Alternatively, you can paste the contents of the certificate file into the corresponding field.
PowerProtect Data Manager validates the input. Correct any errors.
6. Click Replace.
PowerProtect Data Manager replaces the security certificates for the UI server and the REST API.
7. For any existing UI sessions, refresh the page to allow the new certificates to take effect.
Next steps
If you have added any vCenter servers, reinstall the PowerProtect plug-in. Reinstall the PowerProtect plug-in for the vSphere client on page 60 provides more information.
Replace security certificates with the CLI tool
This method replaces the security certificates for the UI server and the REST API.
Prerequisites
Review the information in Certificate management on page 58.
Cryptography 59
About this task
This task assumes that private-key.pem holds the security certificate's private key and that public-cert.pem holds the public certificate chain.
Steps
1. Connect to the PowerProtect Data Manager console as an admin user.
2. Securely copy private-key.pem and public-cert.pem to the /home/admin/.config directory.
3. Change to the /home/admin/.config directory:
cd /home/admin/.config 4. Verify the certificate and key permissions:
ls -l The console displays output similar to the following:
-rwx------ 1 admin admin 1675 Aug 28 16:57 private-key.pem -rwx------ 1 admin admin 3824 Aug 28 16:58 public-cert.pem
5. Replace the existing security certificates:
ppdmtool -replacecert -key /home/admin/.config/private-key.pem -cert /home/admin/.config/ public-cert.pem
For encrypted keys, include a -password
6. For any existing UI sessions, refresh the page to allow the new certificates to take effect.
Next steps
If you have added any vCenter servers, reinstall the PowerProtect plug-in. Reinstall the PowerProtect plug-in for the vSphere client on page 60 provides more information.
Reinstall the PowerProtect plug-in for the vSphere client
After you replace the default self-signed security certificates, there may be a brief delay before PowerProtect Data Manager exchanges the new certificates with attached vCenters.
About this task
During this period, you may see errors in the vSphere client PowerProtect portlet when you select virtual machines:
Service Unavailable: Please contact your administrator. No healthy upstream. The PowerProtect plug-in automatically refreshes the connection at the top of every hour and applies the new certificates to correct the condition. To immediately apply the new certificates, complete this task to reinstall the PowerProtect plug-in for each attached vCenter.
The PowerProtect Data Manager Administration and User Guide provides more information about working with the PowerProtect portlet and plug-in.
Only the Administrator role can reinstall the plug-in.
Steps
1. From the left navigation pane, select Infrastructure > Asset Sources.
The Asset Sources window appears.
2. On the vCenter tab, select the affected vCenter, and then click Edit. The Edit vCenter dialog opens.
3. For vSphere Plugin, clear Install.
4. Click Save. PowerProtect Data Manager removes the PowerProtect plug-in from the vCenter.
5. In the vSphere client, look for a notification that the PowerProtect plug-was removed, and then click REFRESH BROWSER.
60 Cryptography
If you do not have a notification, log out, and then log in again.
6. Verify that the PowerProtect portlet does not appear when you select virtual machines.
7. In the PowerProtect Data Manager UI, select the affected vCenter again, and then click Edit. The Edit vCenter dialog opens.
8. For vSphere Plugin, select Install.
9. Click Save. PowerProtect Data Manager installs the PowerProtect plug-in for the vCenter.
10. In the vSphere client, look for a notification that the PowerProtect plug-in was successfully deployed, and then click REFRESH BROWSER.
If you do not have a notification, log out, and then log in again.
11. Verify that the PowerProtect portlet appears when you select virtual machines and does not display any errors.
Restart the web service
When you replace the security certificates, the UI may continue to present the default self-signed security certificates. This result can occur regardless of the method that you use to replace the certificates. In this case, restart the web service to apply the changes.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Stop the web service:
systemctl stop nginx 3. Restart the web service:
systemctl start nginx
Next steps
After the web service starts, verify that the UI presents the replacement security certificates.
Exchange the new security certificates with vCenter for SPBM
When you replace the security certificates or upgrade PowerProtect Data Manager, you may need to exchange the new certificates with vCenter for storage policy based management (SPBM).
Steps
1. Obtain the new PowerProtect Data Manager root certificate.
Use SCP or another file transfer utility to download the certificate at /etc/ssl/certificates/custom/ globalca.pem from the server.
2. Add the vCenter as an asset source and complete asset discovery.
The PowerProtect Data Manager Administration and User Guide provides more information.
3. Add the new PowerProtect Data Manager root certificate to the vCenter certificate store.
The VMware documentation provides more information.
4. Register PowerProtect Data Manager with SPBM:
The VMware documentation provides more information. Select the top-level vCenter host.
Value Description
Name Any descriptive name. For example, PowerProtectDataManager-FQDN.
URL https://PowerProtectDataManager-FQDN:9009/vasa/version.xml Username A PowerProtect Data Manager user with the Administrator role.
Password The corresponding account password.
Cryptography 61
Substitute the placeholders with the PowerProtect Data Manager fully qualified domain name.
Results
PowerProtect Data Manager is ready to work with SPBM.
Next steps
If you upgrade PowerProtect Data Manager after replacing the security certificates and exchanging the certificates with SPBM, perform the following steps:
1. Obtain the PowerProtect Data Manager root certificate as described in this task. 2. Add the root certificate to the vCenter certificate store as described in this task.
The registration status shows Rescanning error or Offline until the session refreshes to use the new security certificate. Refreshes happen at the top of every hour. To immediately apply the new certificates, remove the SPBM storage provider, and then repeat step 4 on page 61.
Remove the PowerProtect Data Manager SPBM security certificates from vCenter
When you replace the security certificates, you can remove the old certificates from vCenter to clean up the certificate store.
Prerequisites
Review VMware KB articles 2111411 and 2146011.
CAUTION: Remove only the root certificate that enables PowerProtect Data Manager to work with SPBM.
Steps
1. Open the vCenter server appliance management interface.
Go to https://vCenter:5480.
2. Enable SSH access.
The VMware documentation provides more information.
3. Establish an SSH session to the vCenter server appliance and then open an elevated BASH shell session.
VMware KB article 2111411 provides instructions.
4. Remove the PowerProtect Data Manager SPBM security certificates from the certificate store.
VMware KB article 2146011 provides instructions for expired or expiring certificates, but the procedure is the same to remove the PowerProtect Data Manager root certificate. The VMware KB article provides instructions for vCenter server appliances and for Windows vCenter servers.
Use the information from the certificate on the PowerProtect Data Manager server at /etc/ssl/certificates/ custom/globalca.pem to identify the certificate.
62 Cryptography
Security Updates and Patching
Topics:
Security updates and patching Update the Velero or OADP version used by PowerProtect Data Manager
Security updates and patching Most security updates for PowerProtect Data Manager arrive as part of product updates to subsequent releases.
The PowerProtect Data Manager Administration and User Guide and the PowerProtect Data Manager Deployment Guide for each supported platform provide instructions for updating PowerProtect Data Manager. Use the instructions in Authenticity and Integrity on page 65 to verify product updates.
Information about security updates and any applicable out-of-cycle updates for PowerProtect Data Manager are posted to Customer Support and included as part of an applicable Dell Security Advisory (DSA).
The following topics provide information about security updates for third-party and embedded components.
Update the Velero or OADP version used by PowerProtect Data Manager When PowerProtect Data Manager is configured to protect Kubernetes clusters, Velero is used for backing of Kubernetes resources. In an OpenShift environment, PowerProtect Data manager uses OADP to deploy Velero. Each PowerProtect Data Manager release uses a specific version of Velero by default, which is documented in the file /usr/local/brs/lib/cndm/ config/k8s-image-versions.info. If you must update the Velero or OADP version that PowerProtect Data Manager uses in order to pick up the latest security fixes, perform the following procedure.
Prerequisites
NOTE: The Velero version should be updated to an incremental patch build only. A minor or major version of Velero or
OADP that is later than the default version that PowerProtect Data Manager uses might not be compatible.
Steps
1. Log in to PowerProtect Data Manager as an admin user.
2. Open the file /usr/local/brs/lib/cndm/config/k8s-dependency-versions-app.properties.
3. In a non-OpenShift environment, add the following line to this file to update the Velero version, and then save the file:
k8s.velero.version=vx.y.z Where vx.y.z is the Velero incremental patch version.
4. In an OpenShift environment, add the following line to this file to update the OADP version, and then save the file:
k8s.oadp.version=x.y.z Where x.y.z is the OADP incremental patch version.
5. Restart the CNDM service by running the command cndm restart, and then wait for a few seconds for the service to restart.
6. From the PowerProtect Data Manager UI, run a manual discovery of the Kubernetes cluster. When the discovery completes successfully, the configuration that is stored in the configuration map ppdm-controller- config on the Kubernetes cluster powerprotect namespace updates.
8
Security Updates and Patching 63
7. Run the following commands to delete the powerprotect-controller pod on the Kubernetes cluster. This action forces a restart, during which the changes take effect. This step should be performed when there are no backup or restore operations in progress.
kubectl get pod -n powerprotect kubectl delete pod powerprotect controller pod name -n powerprotect
8. Repeat steps six and seven for each Kubernetes cluster that is protected by PowerProtect Data Manager.
64 Security Updates and Patching
Authenticity and Integrity
Topics:
About product authenticity and integrity Verification
About product authenticity and integrity
PowerProtect Data Manager uses multiple methods to protect product code and downloads against compromise or corruption. These methods include SHA-256 checksums and digital signatures that you can verify through the methods included in this chapter.
The Drivers & Downloads area on Customer Support provides a set of checksum values for every file.
Critical processes, such as the deployment and update workflows, automatically check authenticity and integrity, and fail if either is compromised. However, there are several points where you should verify components and binaries before using them:
After you download the deployment or update packages. After you download the application agents and other PowerProtect Data Manager installable binaries. After you download hotfixes.
Some procedures, such as PowerProtect Data Manager deployment and updates, contain steps or opportunities to verify certificates or signatures.
Verification The following topics describe how you can verify the authenticity and integrity of PowerProtect Data Manager components and binaries. Verification typically includes confirmation that the components have not changed since the digital signatures were applied.
Most commonly, PowerProtect Data Manager components and binaries are either digitally signed or provided along with cryptographic checksums that you can use to verify the files.
Checksums for each component or binary may be provided on Customer Support, in KB articles, in this guide, or within PowerProtect Data Manager itself.
If your environment does not already contain a trusted root certificate authority (CA) for Entrust Code Signing Root Certification Authority - CSBR1, some verification operations may fail. In these cases, you can import the required root certificate to verify the signatures. For example, into your vCenter server.
Verify the signer or signers for Windows binaries
Use these steps to confirm that a Windows executable file or driver was signed by Dell and has not changed since the signing.
About this task
Some components, such as the File System and Microsoft Exchange Server agents, use drivers which both Dell and Microsoft have signed. These agents use block-based backup (BBB) drivers for backup and restore operations. The driver (nsrbbb.sys) resides in the Windows system folder, typically C:\Windows\System32\drivers. For dual-signed binaries, ensure that the signature list contains entries for both Dell and Microsoft.
Steps
1. Locate and select the file in the Windows File Explorer.
9
Authenticity and Integrity 65
2. Right-click the file and select Properties. The Properties sheet opens to the General tab.
3. Select the Digital Signatures tab. The tab displays a list of the digital signatures that are associated with the file.
4. Verify that the signature list includes an entry for Dell Technologies.
5. (Optional) Click Details to inspect the digital signature fields.
Verify the vendor for Linux (RPM-based) packages
Use these steps to confirm that a Linux RPM package file was signed by Dell and has not changed since the signing.
Steps
1. Open a terminal window or shell session.
2. Change directory to the location of the package file.
3. Check the properties for the package file:
rpm -qip package | grep Vendor where package is the package filename.
4. Verify that the package vendor is Dell EMC Corporation.
Verify the vendor for Linux (Debian-based) packages
Use these steps to confirm that a Linux Debian package file was signed by Dell and has not changed since the signing.
Steps
1. Open a terminal window or shell session.
2. Change directory to the location of the package file.
3. Check the properties for the package file:
dpkg-deb --showformat='${Package}\t${Version}\t${Maintainer}\n' --show package where package is the package filename.
4. Verify that the package vendor is Dell EMC support
Verify GPG signatures for Linux (RPM-based) packages
Use these steps to confirm that a Linux RPM package file was signed by Dell and has not changed since the signing.
Prerequisites
For GnuPG (GPG)-signed RPM package files, the public keys are valid for one year. Use the Dell public key for the year that the package was signed when you verify each package file. These annual public keys are provided as part of knowledge base (KB) articles KB000180913 and KB000197389.
Steps
1. Open a terminal window or shell session.
2. Change directory to the location of the package file.
3. Verify that the package file has a signature:
rpm --checksig -v package where package is the package filename.
If the package file has a signature, output similar to the following appears:
66 Authenticity and Integrity
package: Header V3 RSA/SHA1 Signature, key ID c5dfe03d: NOKEY Header SHA1 digest: OK 81e359380a5e229d96c79135aea58d935369c827) V3 RSA/SHA1 Signature, key ID c5dfe03d: NOKEY MD5 digest: OK (cc2ac691f115f7671900c8896722159c) The NOKEY messages indicate that the Linux system does not recognize the signing key.
4. Locate the applicable Dell public key in the KB article.
Copy the public key to a new text file on the Linux system and save the file.
5. Import the Dell public key to the local trust store:
rpm --import keyfile where keyfile is the text file that you created in a previous step.
6. With the Dell public key imported, reverify that the package file has a valid signature:
rpm --checksig -v package where package is the package filename.
If the package file has a valid signature, output similar to the following appears:
package: Header V3 RSA/SHA1 Signature, key ID c5dfe03d: OK Header SHA1 digest: OK (81e359380a5e229d96c79135aea58d935369c827) V3 RSA/SHA1 Signature, key ID c5dfe03d: OK MD5 digest: OK (cc2ac691f115f7671900c8896722159c) The OK messages indicate that the Linux system recognizes that the package was signed by a trusted key.
Verify the signature for JAR files
Some PowerProtect Data Manager components come in Java Archive (JAR) format. You can confirm that a signed JAR file has not changed since the signing.
Ensure that your Java environment is correctly configured and that you know the installed location of the Java Runtime Environment (JRE) or Java Development Kit (JDK). For example, by placing the Java locations in your system path. Current versions of the JDK contain the correct root certificate authority.
Open a command prompt, terminal window, or shell session and type the following command:
jarsigner -verify
The following output appears:
jar verified. Java verifies that the contents of the JAR file have not changed since the archive was signed. Observe the output for errors.
For more information about the signature on the JAR file, use the -verbose parameter.
Verify SHA-256 checksums in Windows
Before you use a downloaded file, you can verify the file against the SHA-256 cryptographic checksums that Dell provides.
Open the command prompt and type the following command:
certutil -hashfile
Output similar to the following appears:
SHA256 hash of file
Authenticity and Integrity 67
f7 b2 CertUtil: -hashfile command completed successfully. Compare the computed checksum to the checksum that you obtained with the downloaded file. The output of this command contains spaces, while the provided checksum may not.
Verify SHA-256 checksums in Linux
Before you use a downloaded file, you can verify the file against the SHA-256 cryptographic checksums that Dell provides. Checksums can be provided in separate files or as strings.
Checksum file provided
Open a terminal window or shell session and type the following command:
sha256sum -c
Output similar to the following appears:
Checksum file not provided
Open a terminal window or shell session and type the following command:
sha256sum
Output similar to the following appears:
43c403cb8a86fd3a3c75dc73c83cc81bae507ecf92195ee5fd1196eedc6e3076
Verify SHA-256 checksums in AIX
Before you use a downloaded file, you can verify the file against the SHA-256 cryptographic checksums that Dell provides.
Open a terminal window or shell session and type the following command:
openssl dgst -sha256
Output similar to the following appears:
SHA256(
68 Authenticity and Integrity
Miscellaneous Configuration and Management Elements
Topics:
Licensing Installing client software Application and application data backups
Licensing The PowerProtect Data Manager Licensing Guide provides more information about the product licensing options and capabilities.
Installing client software The client-side requirements for protection differ for each asset type and operating environment. The PowerProtect Data Manager application agent and asset user guides provide specific information about data protection security requirements, such as any necessary accounts, credentials, and system or resource permissions.
Port usage on page 43 provides information about communication between assets, agents, and PowerProtect Data Manager components.
Application and application data backups The PowerProtect Data Manager Administration and User Guide contains instructions to configure server disaster recovery (DR) protection and recover from server DR backups. You can configure backup retention and manage existing backups.
By default, PowerProtect Data Manager automatically configures server DR to use the first protection storage system. You can configure the destination by using the instructions in the PowerProtect Data Manager Administration and User Guide.
10
Miscellaneous Configuration and Management Elements 69
REST API Procedures This appendix describes additional methods to complete some procedures, if the recommended methods do not apply.
Topics:
Manual certificate replacement Configure password complexity and expiration through the REST API
Manual certificate replacement The recommended methods for replacing the security certificates may not apply to some environments that require additional precautions. The following topics describe additional manual methods to replace the default self-signed security certificates for PowerProtect Data Manager with certificates from an approved authority, if the recommended methods do not apply.
Review the guidance in Virtual networks on page 59. Use a secure method to transfer the certificates and keys to the PowerProtect Data Manager server.
Manual certificate replacement topics use the following filename placeholders and naming conventions for the required certificates and keystores:
custom.pemA public certificate chain in PEM format, signed by a Certificate Authority (CA).
customkey.pemThe corresponding private key in PKCS#1 (RSA) PEM format.
Optionally:
custom.keystoreA Java keystore with the private key and public certificate, signed by a CA.
globalca.pemThe root certificate for the CA that signed the public certificate.
Complete Prepare a public certificate and private key from a keystore on page 70 as necessary to prepare the required files in the proper formats. Then use the REST API to replace the security certificates by completing Manually install a custom security certificate through the REST API on page 71.
Prepare a public certificate and private key from a keystore
If you have a Java keystore that contains a private key and public certificate, extract the key and certificate from the keystore.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Securely copy custom.keystore to the /etc/ssl/certificates/custom directory.
3. Change to the /etc/ssl/certificates/custom directory:
cd /etc/ssl/certificates/custom 4. Export the public certificate in PEM format from the keystore:
keytool -list -alias custom -keystore custom.keystore -storepass custompass -rfc > custom.pem
Replace custom with the keystore alias that corresponds to the public certificate and custompass with the keystore password.
5. Export the private key from the keystore in PKCS#12 format:
keytool -importkeystore -srckeystore custom.keystore -srcalias custom -srcstorepass jkspass -destkeystore custom.p12 -deststoretype PKCS12 -storepass pkcspass Replace custom with the keystore alias that corresponds to the private key. Replace jkspass with the Java keystore password and pkcspass with a password for the PKCS file, respectively.
A
70 REST API Procedures
6. Convert the private key to PEM format:
openssl pkcs12 -in custom.p12 -passin pass:pkcspass -nocerts -nodes -out customkey.rsa openssl rsa -in customkey.rsa -out customkey.pem Replace pkcspass with the password for the PKCS file.
7. Print the contents of the certificate:
openssl x509 -text -in custom.pem 8. Extract the CA root certificate from the output.
Save the CA root certificate as globalca.pem.
Manually install a custom security certificate through the REST API
Alternatively, you can use the REST API to replace the security certificate. You must have the public certificate chain in PEM format and the private key in PKCS#1 (RSA) PEM format.
About this task
The token, certificate, and key examples in this task are simplified for clarity and space.
Steps
1. Log in to the PowerProtect Data Manager REST API as a user with the Administrator or Security Administrator role:
Use curl or a REST API client of your choice.
POST https://{{server}}:{{port}}/api/v2/login Headers: Content-Type: application/json Request Payload: { "username": "{{username}}", "password": "{{password}}" } where:
{{server}} is the FQDN or IP address for the PowerProtect Data Manager server. {{port}} is the REST API port, typically 8443. {{username}} and {{password}} are the PowerProtect Data Manager REST API credentials.
The REST API service returns an access token:
200 OK { "access_token": "eyJraWQiOiJkMjc5M", "token_type": "Bearer", "expires_in": 28800, "jti": "dadda4ef-c4ad-4153-9bee-82f5ad69c75a", "scope": "aaa", "refresh_token": "eyJraWQiOiJkMjc5M" } Record the access_token value.
2. Replace the security certificate:
Use curl or a REST API client of your choice.
POST https://{{server}}:{{port}}/api/v2/certificates-replacement Headers: Content-Type: application/json Authorization: Bearer {{access-token}} { "privateKey": "{{private-key}}",
REST API Procedures 71
"certificateChain": "{{cert-chain}}" "password": "{{password}}" } Replace {{private-key}} with a \n-delimited single-line string that represents the contents of customkey.pem. For example:
-----BEGIN RSA PRIVATE KEY----- \nMIIEowIBAAKCAQEArG7\n7HmzXgmP+7owxddYeId\nuXzfA7hedyuxRSV7Whb\nQQKvO3fQz3ywb6i56Lq\n--- --END RSA PRIVATE KEY-----\n Replace {{cert-chain}} with a \n-delimited single-line string that represents the contents of custom.pem. For example:
-----BEGIN CERTIFICATE----- \nMIIDdzCCAl+gAwIBAgI\nUzERMA8GA1UEChMIU2l\nMDkyMjE4MDEzNFoXDTI\nBAoTC1BQRE0gU2VydmV\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nEHD0fXjANBgkqhkiG9w\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAYTAlVTMREwDwY\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nMIIDSTCCAjGgAwIBAgI\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAsTEXd3dy5zaWd\n--- --END CERTIFICATE-----\n The password is an optional field, used when you supply an encrypted private key.
The REST API service returns a status code:
201 Created { "id": "004c443c-3e55-44da-ac1a-59fe65fec13a", "privateKey": "-----BEGIN RSA PRIVATE KEY----- \nMIIEowIBAAKCAQEArG7\n7HmzXgmP+7owxddYeId\nuXzfA7hedyuxRSV7Whb\nQQKvO3fQz3ywb6i56Lq\n--- --END RSA PRIVATE KEY-----\n", "certificateChain": "-----BEGIN CERTIFICATE----- \nMIIDdzCCAl+gAwIBAgI\nUzERMA8GA1UEChMIU2l\nMDkyMjE4MDEzNFoXDTI\nBAoTC1BQRE0gU2VydmV\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nEHD0fXjANBgkqhkiG9w\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAYTAlVTMREwDwY\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nMIIDSTCCAjGgAwIBAgI\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAsTEXd3dy5zaWd\n--- --END CERTIFICATE-----\n" }
3. For any existing UI sessions, refresh the page to allow the new certificates to take effect.
Next steps
If you have added any vCenter servers, reinstall the PowerProtect plug-in. Reinstall the PowerProtect plug-in for the vSphere client on page 60 provides more information.
If the UI continues to present the default self-signed security certificates, Restart the web service on page 61 provides instructions.
Configure password complexity and expiration through the REST API This topic describes how to configure the PowerProtect Data Manager password requirements through the REST API. If you change the regular expressions, change both regular expressions to keep the rules consistent.
The PowerProtect Data Manager REST API documentation provides more information, including examples, about how to use the REST API. Supply a valid access token with each REST API call.
Common password policy on page 18 describes the default password complexity rules. However, you can use the REST API to retrieve the current rules, which may be different:
GET server:REST-port/api/v2/policies/password Supply a valid access token with the REST API call. The response returns a list of values in JSON format:
{ "passwordRegex": "^(?=.*[A-Z])(?=.*[a-z])(?=.*\\d)(?=.*[\\p{Punct}])[A-Za-z \\d\ \p{Punct}]{9,100}",
72 REST API Procedures
"passwordRegexJS": "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[$#@$!%*?& ^'/:,\\\\\\]\\[()+- \\.~<>\"={|}`;_])[A-Za-z\\d$#@$/!%*?& ^':,\\\\\\]\\[()+-\\.~<>\"={|}`;_]{9,}$", "policyDescription": "Password must have minimum 9 and maximum 100 characters, at least 1 uppercase letter, at least 1 lowercase letter, at least 1 numeric and at least 1 special character.", "maxAge": "P60D" }
Table 25. Rule descriptions
Rule Description
passwordRegex Controls the password length and strength for the REST API.
passwordRegexJS Controls the password length and strength for the UI.
maxAge Controls the password expiry interval. The default is 60 days.
You can also use the REST API to change these rules:
PUT server:REST-port
Related manuals for Dell PowerProtect 19.10 Data Manager Security Configuration Guide
Manualsnet FAQs
If you want to find out how the PowerProtect Dell works, you can view and download the Dell PowerProtect 19.10 Data Manager Security Configuration Guide on the Manualsnet website.
Yes, we have the Security Configuration Guide for Dell PowerProtect as well as other Dell manuals. All you need to do is to use our search bar and find the user manual that you are looking for.
The Security Configuration Guide should include all the details that are needed to use a Dell PowerProtect. Full manuals and user guide PDFs can be downloaded from Manualsnet.com.
The best way to navigate the Dell PowerProtect 19.10 Data Manager Security Configuration Guide is by checking the Table of Contents at the top of the page where available. This allows you to navigate a manual by jumping to the section you are looking for.
This Dell PowerProtect 19.10 Data Manager Security Configuration Guide consists of sections like Table of Contents, to name a few. For easier navigation, use the Table of Contents in the upper left corner.
You can download Dell PowerProtect 19.10 Data Manager Security Configuration Guide free of charge simply by clicking the “download” button in the upper right corner of any manuals page. This feature allows you to download any manual in a couple of seconds and is generally in PDF format. You can also save a manual for later by adding it to your saved documents in the user profile.
To be able to print Dell PowerProtect 19.10 Data Manager Security Configuration Guide, simply download the document to your computer. Once downloaded, open the PDF file and print the Dell PowerProtect 19.10 Data Manager Security Configuration Guide as you would any other document. This can usually be achieved by clicking on “File” and then “Print” from the menu bar.